Work in Progress: FileZilla Server Terminal V0.9.4d Buffer Overflow

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Work in Progress: FileZilla Server Terminal V0.9.4d Buffer Overflow
From: inge.henriksen@xxxxxxxxxxxxxxx
Date: 7 Nov 2005 08:43:11 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

** Inge Henriksen Security Advisory inge.henriksen@xxxxxxxxxxxxxxx **

I have discovered a buffer overflow in FileZilla Server Terminal 0.9.4d. The 
exploit is still to be considered as a work in progress as it is still not 
clear to me why the exploit works on some systems and not others. Please let me 
know if you manage to reproduce the exploit and perhaps we can figure out the 
differences.

Stable Exploit Test System
Microsoft Windows XP Professional Service Pack 2 (Build 2600)

Tecnical Description
The FileZilla Server has a user interface that is used to configure and monitor 
the FileZilla Server. By sending a long USER ftp command to the FileZilla 
Server a successfull attack may crash the FileZilla Server Terminal process. 
Note that the FileZilla Server itself does not crash.

Proof of Concept
The exploit is somewhat diffcult to exploit. On the stable exploit test system 
I have understood that the following steps will crash the FileZilla Server 
Terminal process:


Start the FileZilla Server
Start the FileZilla Server Terminal and login to the FileZilla Server started 
in step 1
Send the following USER commands; "USER A", "USER AA", "USER AAA" etc 
incrementing by one letter ("A") in the command.
The FileZilla Server Terminal usually crashes after about 900-3000 "A"s' . The 
rpt file says the following:

System details:
---------------
Operating System:
Microsoft Windows XP Professional Service Pack 2 (Build 2600)
Processor Information: Vendor: GenuineIntel ,Speed: 1728MHz ,Type: Intel 
Pentium compatible,Number Of Processors: 1 ,Architecture: Intel ,Level: Pentium 
II/Pro,Stepping: 33-36
Memory Information: Memory Used 69%, Total Physical Memory 769328KB, Physical 
Memory Available 233460KB, Total Virtual Memory 2097024KB, Available Virtual 
Memory 2061140KB, Working Set Min : 200KB Max : 1380KB .

Exception Details:
------------------
Exception code: C0000005 ACCESS_VIOLATION
Fault address: 7C910F29 01:0000FF29 C:\WINDOWS\system32\ntdll.dll

Call stack:
-----------
Address Frame Function SourceFile
7C910F29 0012FA9C 0001:0000FF29 C:\WINDOWS\system32\ntdll.dll
7C910D5C 0012FB70 0001:0000FD5C C:\WINDOWS\system32\ntdll.dll
00438A1A 0012FBAC 0001:00037A1A C:\Programfiler\FileZilla Server\FileZilla 
Server Interface.exe
00405049 0012FBD4 0001:00004049 C:\Programfiler\FileZilla Server\FileZilla 
Server Interface.exe
0040562C 0012FC00 0001:0000462C C:\Programfiler\FileZilla Server\FileZilla 
Server Interface.exe
77D38734 0012FC2C 0001:00007734 C:\WINDOWS\system32\USER32.dll77D38816 0012FC94 
0001:00007816 C:\WINDOWS\system32\USER32.dll
77D3C63F 0012FCC4 0001:0000B63F C:\WINDOWS\system32\USER32.dll77D3E905 0012FCE4 
0001:0000D905 C:\WINDOWS\system32\USER32.dll
0045F924 0012FD58 0001:0005E924 C:\Programfiler\FileZilla Server\FileZilla 
Server Interface.exe
77D38734 0012FD84 0001:00007734 C:\WINDOWS\system32\USER32.dll
77D38816 0012FDEC 0001:00007816 C:\WINDOWS\system32\USER32.dll
77D389CD 0012FE4C 0001:000079CD C:\WINDOWS\system32\USER32.dll
77D396C7 0012FE5C 0001:000086C7 C:\WINDOWS\system32\USER32.dll

Prev by Date: [SECURITY] [DSA 888-1] New OpenSSL packages fix cryptographic weakness
Next by Date: [SECURITY] [DSA 886-1] New chmlib packages fix several vulnerabilities
Previous by thread: [SECURITY] [DSA 888-1] New OpenSSL packages fix cryptographic weakness
Next by thread: Re: Work in Progress: FileZilla Server Terminal V0.9.4d Buffer Overflow
Index(es):
- Date
- Thread