Re: Multiple Heap Overflows in FTP Desktop
In-Reply-To: <20030908202530.24144.qmail@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
The heap overflow bug has been fixed. The new FTP Desktop version is now
available for downloading from http://www.ftpdesktop.net/download.html
>Received: (qmail 27051 invoked from network); 8 Sep 2003 20:49:01 -0000
>Received: from outgoing3.securityfocus.com (205.206.231.27)
> by mail.securityfocus.com with SMTP; 8 Sep 2003 20:49:01 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com
>[205.206.231.19])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id 90883A30EE; Mon, 8 Sep 2003 14:53:45 -0600 (MDT)
>Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
>List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
>List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
>Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
>Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
>Received: (qmail 8052 invoked from network); 8 Sep 2003 14:26:31 -0000
>Date: 8 Sep 2003 20:25:30 -0000
>Message-ID: <20030908202530.24144.qmail@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: Bahaa Naamneh <b_naamneh@xxxxxxxxxxx>
>To: bugtraq@xxxxxxxxxxxxxxxxx
>Subject: Multiple Heap Overflows in FTP Desktop
>
>
>
>Multiple Heap Overflows in FTP Desktop
>
>
>Introduction:
>=============
>"FTP Desktop lets you access FTP sites as if they were folders on your
>computer.
>Now you can move your files between your hard disk and remote FTP sites
>with greater ease."
>- Vendors Description
> [ http://www.ftpdesktop.com ]
>
>Note:
>FTP Desktop is fully integrated into Windows Explorer, so the actual
>module
>at fault appears as 'explorer.exe'.
>
>
>Details:
>========
>Vulnerable systems: FTP Desktop version 3.5 (and possibly earlier
>versions).
>
>Vulnerability: It is possible to cause a Heap overflow in FTP Desktop,
>allowing total modification of the EIP pointer - this can be maliciously
>altered to allow remote arbitrary code execution. The overflow occurs in
>the FTP banner and others areas as it shown here:
>
>FTP Banner:
>-----------
>(FTP Desktop connected...)
> PADDING EBP EIP
>220 [229xA][4xB][4xX]
>(Access violation when executing 0x58585858) // 4xX
>
>Username:
>---------
>(FTP Desktop Sends 'USER username')
> PADDING EBP EIP
>331 [229xA][4xB][4xX]
>(Access violation when executing 0x58585858) // 4xX
>
>Password:
>---------
>(FTP Desktop Sends 'PASS password')
> PADDING EBP EIP
>331 [229xA][4xB][4xX]
>(Access violation when executing 0x58585858) // 4xX
>
>
>Vendor status:
>==============
>The vendor has been informed, and they are fixing this bug.
>The updated version, when released, can be downloaded from:
>
>http://www.ftpdesktop.net/download.html
>[ http://www.ftpdesktop.net/download/ftpsetup.exe ]
>
>
>Exploit:
>========
>http://www.elitehaven.net/ftpdesktop.zip
>
>(I would thank Peter Winter-Smith for helping me in the exploitation)
>
>
>Discovered by/Credit:
>=====================
>Bahaa Naamneh
>b_naamneh@xxxxxxxxxxx
>