lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <d65cd43905082403475d8737d@mail.gmail.com>
Date: Wed Aug 24 11:47:30 2005
From: smaillist at gmail.com (Sowhat .)
Subject: LeapFTP .lsq Buffer Overflow Vulnerability

LeapFTP .lsq Buffer Overflow Vulnerability

by Sowhat

Last Update:2005.08.24

http://secway.org/advisory/AD20050824.txt

Vendor:

LeapWare Inc.

Product Affected:

LeapFTP < 2.7.6.612

Overview:

LeapFTP is the award-winning shareware FTP client that combines an 
intuitive interface with one of the most powerful client bases around. 


Details:

.LSQ is the LeapFTP Site Queue file, And it is registered with Windows
by LeapFTP. You can save a transfer Queue to .lsq files and transfer it
later by opening the .lsq files. 

However, LeapFTP does not properly check the length of the "Host" fields,
when a overly long string is supplied, there will be a buffer overflow
and probably arbitrary code execution.

This vulnerability can be exploited by sending the malformed .lsq file
to the victim, after the victim open the .lsq file, arbitray code may
executed.


//bof.lsq

[HOSTINFO]
HOST=AAAAA...[ long string ]...AAAAA
USER=username
PASS=password

[FILES]
"1","/winis/ApiList.zip","477,839","E:\ApiList.zip"

SOLUTION:

All users are encouraged to upgrade to 2.7.6 immediately
Vendor also released an advisory:
http://www.leapware.com/security/2005082301.txt

Vendor Response:

2005.08.22 Vendor notified via online WebForm 
2005.08.23 Vendor responsed and bug fixed
2005.08.24 Vendor released the new version 2.7.6.612
2005.08.24 Advisory Released

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ