lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030908202530.24144.qmail@sf-www1-symnsj.securityfocus.com>
Date: 8 Sep 2003 20:25:30 -0000
From: Bahaa Naamneh <b_naamneh@...mail.com>
To: bugtraq@...urityfocus.com
Subject: Multiple Heap Overflows in FTP Desktop




Multiple Heap Overflows in FTP Desktop


Introduction:
=============
"FTP Desktop lets you access FTP sites as if they were folders on your
computer.
Now you can move your files between your hard disk and remote FTP sites
with greater ease."
- Vendors Description
   [ http://www.ftpdesktop.com ]

Note:
FTP Desktop is fully integrated into Windows Explorer, so the actual 
module
at fault appears as 'explorer.exe'.


Details:
========
Vulnerable systems: FTP Desktop version 3.5 (and possibly earlier
versions).

Vulnerability: It is possible to cause a Heap overflow in FTP Desktop,
allowing total modification of the EIP pointer - this can be maliciously
altered to allow remote arbitrary code execution. The overflow occurs in
the FTP banner and others areas as it shown here:

FTP Banner:
-----------
(FTP Desktop connected...)
    PADDING EBP  EIP
220 [229xA][4xB][4xX]
(Access violation when executing 0x58585858) // 4xX

Username:
---------
(FTP Desktop Sends 'USER username')
    PADDING EBP  EIP
331 [229xA][4xB][4xX]
(Access violation when executing 0x58585858) // 4xX

Password:
---------
(FTP Desktop Sends 'PASS password')
    PADDING EBP  EIP
331 [229xA][4xB][4xX]
(Access violation when executing 0x58585858) // 4xX


Vendor status:
==============
The vendor has been informed, and they are fixing this bug.
The updated version, when released, can be downloaded from:

http://www.ftpdesktop.net/download.html
[ http://www.ftpdesktop.net/download/ftpsetup.exe ]


Exploit:
========
http://www.elitehaven.net/ftpdesktop.zip

(I would thank Peter Winter-Smith for helping me in the exploitation)


Discovered by/Credit:
=====================
Bahaa Naamneh
b_naamneh@...mail.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ