Quick 'n Easy FTP Server pro/lite Logging unicode stack overflow

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Quick 'n Easy FTP Server pro/lite Logging unicode stack overflow
From: "Kaveh Razavi" <c0d3r@xxxxxxxxxxx>
Date: Mon, 24 Apr 2006 23:52:38 +0430 (IRDT)
Cc: news@xxxxxxxxxxxxxx
Importance: Normal
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: SquirrelMail/1.4.6

********************************************
IHS Iran Homeland Security Public advisory
by : c0d3r "Kaveh Razavi"  c0d3r@xxxxxxxxxxx
********************************************

Title : Quick 'n Easy FTP Server pro/lite
         Logging unicode stack overflow

********************************************

information :

Quick 'n Easy FTP Server is a simple and handy FTP server which is
developed by Pablo van der Meer . there is a unicode overflow in the
logging process ,after enough long string sent as an argument of a
command when you go to the logging section overflow happens and
SEH gets hit .

********************************************

simple exploitation :

it is a unicode overflow so any code execution wont be stable .
here is a sampe way to trigger the vulnerability :
login to the FTP Server then try :
command aaaaa < about 1100 a (0x61) here > aaaa
then in the ftp server main window go to Logging section .
the FTP Server will crash . and in the ftptrace.txt we have :
24/07/2006 20:41:53.500 Exception caught by MainExceptionHandler():
Exception      : c0000005
Address        : 00610061
Access Type    : write
Access Address : 00000000
the amazing part is if your string was large enough the ftp server
detect overflow and prevents from any pointers overwrite .

********************************************

Risk Rate : Medium

1) it is a unicode overflow , and exploitation wont be stable because
   of the vulnerability's nature .
2) successful exploitation needs the admin go to the logging section .
3) it needs authentication .

********************************************

workaround :

no patch , all targets are vulnerable.

********************************************

Disclosure timeline :


March 26 , 2006  : vender contacted
March 27 , 2006  : vender replyed *
March 27 , 2006  : vender contacted , example provided
March 28 , 2006  : vender replyed **
March 28 , 2006  : vender contacted , C code provided to test the vuln.
March 29 , 2006  : vender replyed ***
April 25 , 2006  : public release

*   vender says I haven't applyed all the microsoft updates while I
    have and of course an overflow issue in a software is not related
    to microsoft libraries .
**  vender is insisting that the problem is not the FTP problem and my
    box problem .
*** I sent him a C code to check the vulnerability , he said he will
    contact me . well he didn't .

********************************************

Credit :

all go to IHS team
www.ihsteam.com
www.ihsteam.net
www.c0d3r.org

greeting :

LorD and NT of IHS , Jamie of exploitdev.org ,
other friends of mine in www.underground.ir

Prev by Date: RE: [BULK] - Websense Filter Bypass
Next by Date: Re: Apple Mac OS X Safari 2.0.3 Vulnerability
Previous by thread: Re: ADVISORY FOR IOPUS SECURE EMAIL ATTACHMENTS
Next by thread: [ MDKSA-2006:074 ] - Updated php packages address multiple vulnerabilities.
Index(es):
- Date
- Thread