[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <430CE9FD.20503@dsl.pipex.com>
Date: Wed Aug 24 22:48:04 2005
From: augm58 at dsl.pipex.com (Paul Farrow)
Subject: Re: LeapFTP .lsq Buffer Overflow Vulnerability
However if you can successfully create a working exploit to execute
arbitray code, simple calling the file something like
topsiteSVCDqueue.lsq and sticking it on some p2p networks... could
probably score yourself a few hits.
... not that im suggesting anyone try this... that would just be wrong.
Kaveh Razavi wrote:
>it is not a high risk vulnerability .
>chance of making an stable exploit in a unicode
>overflow is low .
>Regards
>
>c0d3r of IHS
>Network Security Reseacher
>
>
>
>>LeapFTP .lsq Buffer Overflow Vulnerability
>>
>>by Sowhat
>>
>>Last Update:2005.08.24
>>
>>http://secway.org/advisory/AD20050824.txt
>>
>>Vendor:
>>
>>LeapWare Inc.
>>
>>Product Affected:
>>
>>LeapFTP < 2.7.6.612
>>
>>Overview:
>>
>>LeapFTP is the award-winning shareware FTP client
>>that combines an
>>intuitive interface with one of the most powerful
>>client bases around.
>>
>>
>>Details:
>>
>>.LSQ is the LeapFTP Site Queue file, And it is
>>registered with Windows
>>by LeapFTP. You can save a transfer Queue to .lsq
>>files and transfer it
>>later by opening the .lsq files.
>>
>>However, LeapFTP does not properly check the length
>>of the "Host" fields,
>>when a overly long string is supplied, there will be
>>a buffer overflow
>>and probably arbitrary code execution.
>>
>>This vulnerability can be exploited by sending the
>>malformed .lsq file
>>to the victim, after the victim open the .lsq file,
>>arbitray code may
>>executed.
>>
>>
>>//bof.lsq
>>
>>[HOSTINFO]
>>HOST=AAAAA...[ long string ]...AAAAA
>>USER=username
>>PASS=password
>>
>>[FILES]
>>"1","/winis/ApiList.zip","477,839","E:\ApiList.zip"
>>
>>SOLUTION:
>>
>>All users are encouraged to upgrade to 2.7.6
>>immediately
>>Vendor also released an advisory:
>>http://www.leapware.com/security/2005082301.txt
>>
>>Vendor Response:
>>
>>2005.08.22 Vendor notified via online WebForm
>>2005.08.23 Vendor responsed and bug fixed
>>2005.08.24 Vendor released the new version 2.7.6.612
>>2005.08.24 Advisory Released
>>
>>
>>
Powered by blists - more mailing lists