lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <41A1F9C5.5090408@altervista.org> Date: Mon, 22 Nov 2004 15:37:57 +0100 From: Komrade <unsecure@...ervista.org> To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com Subject: WeOnlyDo! COM Ftp DELUXE ActiveX Control Buffer Overflow Vulnerability AUTHOR Komrade unsecure@...ervista.org http://unsecure.altervista.org DATE 22/11/2004 PRODUCT WodFtpDLX is an ActiveX component that supports encrypted and non-encrypted FTP access to the servers for transferring files. It can be used in various programs, scripts, web applications to connect to FTP servers. The ActiveX is named "WodFtpDLX.ocx" and could be found on the default "windows\system32" directory (if installed by any application). AFFECTED VERSION All verion prior to 2.3.2.97 (version fixed by the vendor) Versions verified to be vulnerable: 2.2.0.1 2.3.0.0 2.3.2.90 2.3.2.94 DETAILS I discovered that this ActiveX doesn't correctly handle a very long file name sent from an FTP server. This vulnerability occurs when the ActiveX copies the name of the files stored in an FTP server in the stack, using a strncpy() function that not correctly sets the maximum length of the string. It is possible to overwrite a SEH address and cause an exception to the program, being able to execute arbitrary commands remotely to a target machine. POC EXPLOIT You can find a proof of concept exploit that crashes all the programs based on the vulnerable ActiveX. http://unsecure.altervista.org/security/wodftpcrash.c VENDOR STATUS I notified this vulnerability to the vendor on 18/11/2004 and they create a new fixed version of the ActiveX. See http://weonlydo.com to download the new fixed verion. VULNERABILITY TIMELINE 16/11/2004 Vulnerbility found. 18/11/2004 Vendor contacted for the first time. 18/11/2004 Vendor reply. 19/11/2004 Vulnerability fixed. A new version is now avaible. 22/11/2004 Public disclosure. -- - Unsecure Programs - - http://unsecure.altervista.org - - Vulnerabilities and exploits - - http://unsecure.altervista.org/security.htm - _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists