lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060102022801.4372.qmail@securityfocus.com>
Date: 2 Jan 2006 02:28:01 -0000
From: k4p0k4p0@...mail.com
To: bugtraq@...urityfocus.com
Subject: NicoFTP Stack Overflow


/* 
 * Name: NicoFTP Stack Overflow
 * Version: 3.0.1.19
 * Developer: NicoSW
 * Developer site: www.nicosw.com (Offline)
 * Developer contact: nicoftp[at]nicosw[dot]com
 * Discovered by: K4P0 <k4p0k4p0[at]hotmail[dot]com>
 * Founded: 12/29/2005 (MM/DD/YYYY)
 * Published: 01/01/2006 (MM/DD/YYYY)
 */

-- Intro

NicoFTP is a Freeware, ligth, simple and fast FTP client program. This bug affects this software on version 3.0.1.19 and erlier ones.

-- Bug

A simple stack overflow.

-- Fix

It isn't an open-source software, but it could be fixed by checking the length of the personalizable name of the FTP site before storing it into memory.

-- Exploit

A new FTP (or modify) account must be created; when filling the 'Name of site' , write 4101 random characters, then write 4 characters more that will produce the Stack Overflow by trying to access to that address.
It's a better idea to modify the 'Name' value through the Sites.conf.(The 'Name' field it's located between [ ]).

I didn't have success by trying to make the exploit, because it executes many instructions using registers that are also overwrited, so when it trys to read the address form the registers (precisely eax & ebx) it goes to a nonexisten address, such as 0x41414141.
I tryed to modify the addresses where the registers pointed at, but it's almost impossible.

As a proof of concept you can try to write a string in the corresponding field taking care how many characters you write; if you wanna try, follow the above instructions.
You can find a string I made in : www.usuarios.lycos.es/altohack/adv/NicoFTPProof.txt


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ