OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Strumpf Noir Society (vuln-devlabs.secureance.com)
Date: Tue Jan 15 2002 - 12:17:02 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Strumpf Noir Society Advisories
    ! Public release !
    <--#

    -= BlackMoon FTPd Buffer Overflow Vulnerability =-

    Release date: Tuesday, January 15, 2002

    Introduction:

    BlackMoon is a native windows2000 and XP FTP server application with
    features such as virtual directories, user accounts, file resuming and
    passive mode transfers, multi-homed & multi-port listening, low memory
    and CPU usage, auto date and time activation, all the basic ftp commands
    and much more.

    BlackMoon is available from the product's website:
    http://www.blackmoon.filetap.com

    Problem(s):

    The BlackMoon FTP server is vulnerable to a buffer overflow condition.
    Due to the nature of these problems, this could lead to arbitrary code
    execution on a target machine.

    More specifically, the buffer which handles the received data before
    parsing it was incorrectly declared static in below code.

    CBuffer::CBuffer(const char * data, int len, int capacity_inc)
    {
         bf_head = (char*)&staticBuf; //(char*)malloc(len * sizeof(char));
         if(bf_head != NULL)
         {
             memcpy(bf_head,data,len);
             bf_capacity = sizeof(staticBuf); //len;
             bf_current_size = len;
             bf_capacity_inc = capacity_inc;

    Due to this error, it is possible to overflow this buffer through several
    of the standard ftp commands available to the user (specifically 'USER',
    'PASS' and 'CWD') followed by a string of data sized more than 4096 bytes.

    This will kill the BlackMoon FTP service (which runs under the local SYSTEM
    account) and allows for overwriting of EIP.

    (..)

    Solution:

    Vendor has been notified and was swift to respond in releasing BlackMoon
    FTP v1.5, Release #2, Build 1550, which is available from the product's web
    site. This version of the product fixes above problem and adds several
    safeguards against similar abuses.

    This was tested against BlackMoon FTP v1.5 (Release #1 Build 1547)
    on Win2k. The vulnerability described below was traced back to version 1.0,
    Release #1, Build 1115. Users are encouraged to upgrade.

    yadayadayada

    SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html)
    compliant, all information is provided on AS IS basis.

    EOF, but Strumpf Noir Society will return!