Work in Progress: FileZilla Server Terminal V0.9.4d Buffer Overflow
** Inge Henriksen Security Advisory inge.henriksen@xxxxxxxxxxxxxxx **
I have discovered a buffer overflow in FileZilla Server Terminal 0.9.4d. The
exploit is still to be considered as a work in progress as it is still not
clear to me why the exploit works on some systems and not others. Please let me
know if you manage to reproduce the exploit and perhaps we can figure out the
differences.
Stable Exploit Test System
Microsoft Windows XP Professional Service Pack 2 (Build 2600)
Tecnical Description
The FileZilla Server has a user interface that is used to configure and monitor
the FileZilla Server. By sending a long USER ftp command to the FileZilla
Server a successfull attack may crash the FileZilla Server Terminal process.
Note that the FileZilla Server itself does not crash.
Proof of Concept
The exploit is somewhat diffcult to exploit. On the stable exploit test system
I have understood that the following steps will crash the FileZilla Server
Terminal process:
Start the FileZilla Server
Start the FileZilla Server Terminal and login to the FileZilla Server started
in step 1
Send the following USER commands; "USER A", "USER AA", "USER AAA" etc
incrementing by one letter ("A") in the command.
The FileZilla Server Terminal usually crashes after about 900-3000 "A"s' . The
rpt file says the following:
System details:
---------------
Operating System:
Microsoft Windows XP Professional Service Pack 2 (Build 2600)
Processor Information: Vendor: GenuineIntel ,Speed: 1728MHz ,Type: Intel
Pentium compatible,Number Of Processors: 1 ,Architecture: Intel ,Level: Pentium
II/Pro,Stepping: 33-36
Memory Information: Memory Used 69%, Total Physical Memory 769328KB, Physical
Memory Available 233460KB, Total Virtual Memory 2097024KB, Available Virtual
Memory 2061140KB, Working Set Min : 200KB Max : 1380KB .
Exception Details:
------------------
Exception code: C0000005 ACCESS_VIOLATION
Fault address: 7C910F29 01:0000FF29 C:\WINDOWS\system32\ntdll.dll
Call stack:
-----------
Address Frame Function SourceFile
7C910F29 0012FA9C 0001:0000FF29 C:\WINDOWS\system32\ntdll.dll
7C910D5C 0012FB70 0001:0000FD5C C:\WINDOWS\system32\ntdll.dll
00438A1A 0012FBAC 0001:00037A1A C:\Programfiler\FileZilla Server\FileZilla
Server Interface.exe
00405049 0012FBD4 0001:00004049 C:\Programfiler\FileZilla Server\FileZilla
Server Interface.exe
0040562C 0012FC00 0001:0000462C C:\Programfiler\FileZilla Server\FileZilla
Server Interface.exe
77D38734 0012FC2C 0001:00007734 C:\WINDOWS\system32\USER32.dll77D38816 0012FC94
0001:00007816 C:\WINDOWS\system32\USER32.dll
77D3C63F 0012FCC4 0001:0000B63F C:\WINDOWS\system32\USER32.dll77D3E905 0012FCE4
0001:0000D905 C:\WINDOWS\system32\USER32.dll
0045F924 0012FD58 0001:0005E924 C:\Programfiler\FileZilla Server\FileZilla
Server Interface.exe
77D38734 0012FD84 0001:00007734 C:\WINDOWS\system32\USER32.dll
77D38816 0012FDEC 0001:00007816 C:\WINDOWS\system32\USER32.dll
77D389CD 0012FE4C 0001:000079CD C:\WINDOWS\system32\USER32.dll
77D396C7 0012FE5C 0001:000086C7 C:\WINDOWS\system32\USER32.dll