<<< Date Index >>>     <<< Thread Index >>>

Re: Multiple Heap Overflows in FTP Desktop



In-Reply-To: <20030908202530.24144.qmail@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>

The heap overflow bug has been fixed. The new FTP Desktop version is now 
available for downloading from http://www.ftpdesktop.net/download.html


>Received: (qmail 27051 invoked from network); 8 Sep 2003 20:49:01 -0000
>Received: from outgoing3.securityfocus.com (205.206.231.27)
>  by mail.securityfocus.com with SMTP; 8 Sep 2003 20:49:01 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com 
>[205.206.231.19])
>       by outgoing3.securityfocus.com (Postfix) with QMQP
>       id 90883A30EE; Mon,  8 Sep 2003 14:53:45 -0600 (MDT)
>Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
>List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
>List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
>Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
>Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
>Received: (qmail 8052 invoked from network); 8 Sep 2003 14:26:31 -0000
>Date: 8 Sep 2003 20:25:30 -0000
>Message-ID: <20030908202530.24144.qmail@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: Bahaa Naamneh <b_naamneh@xxxxxxxxxxx>
>To: bugtraq@xxxxxxxxxxxxxxxxx
>Subject: Multiple Heap Overflows in FTP Desktop
>
>
>
>Multiple Heap Overflows in FTP Desktop
>
>
>Introduction:
>=============
>"FTP Desktop lets you access FTP sites as if they were folders on your
>computer.
>Now you can move your files between your hard disk and remote FTP sites
>with greater ease."
>- Vendors Description
>   [ http://www.ftpdesktop.com ]
>
>Note:
>FTP Desktop is fully integrated into Windows Explorer, so the actual 
>module
>at fault appears as 'explorer.exe'.
>
>
>Details:
>========
>Vulnerable systems: FTP Desktop version 3.5 (and possibly earlier
>versions).
>
>Vulnerability: It is possible to cause a Heap overflow in FTP Desktop,
>allowing total modification of the EIP pointer - this can be maliciously
>altered to allow remote arbitrary code execution. The overflow occurs in
>the FTP banner and others areas as it shown here:
>
>FTP Banner:
>-----------
>(FTP Desktop connected...)
>    PADDING EBP  EIP
>220 [229xA][4xB][4xX]
>(Access violation when executing 0x58585858) // 4xX
>
>Username:
>---------
>(FTP Desktop Sends 'USER username')
>    PADDING EBP  EIP
>331 [229xA][4xB][4xX]
>(Access violation when executing 0x58585858) // 4xX
>
>Password:
>---------
>(FTP Desktop Sends 'PASS password')
>    PADDING EBP  EIP
>331 [229xA][4xB][4xX]
>(Access violation when executing 0x58585858) // 4xX
>
>
>Vendor status:
>==============
>The vendor has been informed, and they are fixing this bug.
>The updated version, when released, can be downloaded from:
>
>http://www.ftpdesktop.net/download.html
>[ http://www.ftpdesktop.net/download/ftpsetup.exe ]
>
>
>Exploit:
>========
>http://www.elitehaven.net/ftpdesktop.zip
>
>(I would thank Peter Winter-Smith for helping me in the exploitation)
>
>
>Discovered by/Credit:
>=====================
>Bahaa Naamneh
>b_naamneh@xxxxxxxxxxx
>