lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed Aug 24 22:48:04 2005
From: augm58 at dsl.pipex.com (Paul Farrow)
Subject: Re: LeapFTP .lsq Buffer Overflow Vulnerability

However if you can successfully create a working exploit to execute 
arbitray code, simple calling the file something like

topsiteSVCDqueue.lsq  and sticking it on some p2p networks... could 
probably score yourself a few hits.

... not that im suggesting anyone try this... that would just be wrong.

Kaveh Razavi wrote:

>it is not a high risk vulnerability .
>chance of making an stable exploit in a unicode
>overflow is low .
>Regards
>
>c0d3r of IHS
>Network Security Reseacher
>
>  
>
>>LeapFTP .lsq Buffer Overflow Vulnerability
>>
>>by Sowhat
>>
>>Last Update:2005.08.24
>>
>>http://secway.org/advisory/AD20050824.txt
>>
>>Vendor:
>>
>>LeapWare Inc.
>>
>>Product Affected:
>>
>>LeapFTP < 2.7.6.612
>>
>>Overview:
>>
>>LeapFTP is the award-winning shareware FTP client
>>that combines an 
>>intuitive interface with one of the most powerful
>>client bases around. 
>>
>>
>>Details:
>>
>>.LSQ is the LeapFTP Site Queue file, And it is
>>registered with Windows
>>by LeapFTP. You can save a transfer Queue to .lsq
>>files and transfer it
>>later by opening the .lsq files. 
>>
>>However, LeapFTP does not properly check the length
>>of the "Host" fields,
>>when a overly long string is supplied, there will be
>>a buffer overflow
>>and probably arbitrary code execution.
>>
>>This vulnerability can be exploited by sending the
>>malformed .lsq file
>>to the victim, after the victim open the .lsq file,
>>arbitray code may
>>executed.
>>
>>
>>//bof.lsq
>>
>>[HOSTINFO]
>>HOST=AAAAA...[ long string ]...AAAAA
>>USER=username
>>PASS=password
>>
>>[FILES]
>>"1","/winis/ApiList.zip","477,839","E:\ApiList.zip"
>>
>>SOLUTION:
>>
>>All users are encouraged to upgrade to 2.7.6
>>immediately
>>Vendor also released an advisory:
>>http://www.leapware.com/security/2005082301.txt
>>
>>Vendor Response:
>>
>>2005.08.22 Vendor notified via online WebForm 
>>2005.08.23 Vendor responsed and bug fixed
>>2005.08.24 Vendor released the new version 2.7.6.612
>>2005.08.24 Advisory Released
>>
>>    
>>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ