OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
SurgeFtp Server BufferOverflow Vulnerability

From: Anil Pazvant (pazwantgmail.com)
Date: Mon Jul 22 2013 - 12:30:41 CDT


-------------------------------------------------------------------------------

| SurgeFtp Server BufferOverflow Vulnerability|

--------------------------------------------------------------------------------

Summary
================

SurgeFTP Server has a buffer overflow vulnerability which effects
denial of service or potential remote code execution.

CVE number: CVE-2013-4742
Impact: High

Vendor homepage:
http://netwinsite.com/cgi-bin/keycgi.exe?cmd=download&product=surgeftp

Vendor notified: 22/05/2013

Vendor fixed: 30/05/2013

Affected Products
=================
SurgeFTP Server 23c8 and older linux versions.

Details
==================

The bug was triggered during authentication of ftp service .The root
cause of the problem is processing a very long line with no 'crlf' ,
resulting in a memmove operation past the end of a buffer, and that
would turn in corruption in a random way on heap or stack.Unless the
injection vector effect is not so stable ,one of the possibility of
code execution is "vfprint" function which you can exploit by calling
a next library function that exists and writable on GOT entry . The
following you can see EIP can be owned by ECX+0x1c address. Software
was complied with NX and code execution can be done by using ROP.

Gnu debugger enabled with pead output=>

EAX: 0x3b93b70 ("22 13:15:14.00: <-- ", 'F' <repeats 80 times>, "\n")
EBX: 0x353ff4 --> 0xb4cd7c
ECX: 0x54545454 ('AAAA')
EDX: 0x65 ('e')
ESI: 0xb7611700 ('C' <repeats 72 times>, "T\333q\003", 'T' <repeats
124 times>...)
EDI: 0x1
EBP: 0x3b95c34 --> 0x3b961f8 --> 0x3b96218 --> 0x3b96e18 --> 0x3b97df8
--> 0x3b99258 --> 0x3b99698 --> 0x3b9a2e8 --> 0x3b9a338 --> 0x3b9a388
--> 0x3b9a498 --> 0x0
ESP: 0x3b93b54 --> 0xb7611700 ('C' <repeats 72 times>, "T\333q\003",
'T' <repeats 124 times>...)
EIP: 0x206f15 (<buffered_vfprintf+277>: call DWORD PTR [ecx+0x1c])

Impact
================
DoS or RCE

Solution
================
Upgrade to SurgeFTP 23d2.

Twitter pazwant