NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Full-Disclosure> 2005-06

[Full-disclosure] Crob FTP Server remote buffer overflows

From: Leon Juranic (ljuraniclss.hr)
Date: Mon Jun 06 2005 - 04:58:49 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

LSS Security Advisory #LSS-2005-06-06
http://security.lss.hr

Title: Crob FTP Server remote buffer overflows
Advisory ID: LSS-2005-06-06
Date: 2005-06-01
Advisory URL: http://security.lss.hr/index.php?page=details&ID=LSS-2005-06-06
Impact: Remote code execution
Risk Level: High
Vulnerability Type: Remote
Vendors Status: 7th March, 2005

==[ Overview

Crob FTP Server is a powerful and flexible FTP Server with full user management
and network control for Windows 95/98/ME/2000/XP/2003. Crob FTP Server is using
the standard FTP (File Transfer Protocol) protocol an can be downloaded from
http://www.crob.net/en/.

==[ Vulnerability

There are various buffer overflows in Crob FTP server when processing client input.
First vulnerability is the stack overflow that can be triggered with a very long
parameter supplied to arbitrary FTP command (i.e. STOR) and calling RMD command
with long parameter afterwards. As a result, EIP is overflowed with user input.
Second vulnerability is the heap overflow vulnerability, probably in globbing
code, which can be triggered with characters like '?' or '*' followed by a long
string. This vulnerability can be triggered with commands like LIST or NLST.
Sucessful exploitation of these vulnerabilities will lead to remote code execution.

==[ Affected Version

Vulnerabilities were discovered in the latest Crob FTP server 3.6.1, but the
older versions might be also vulnerable.

==[ Fix

No fix available yet.

==[ PoC Exploit

Proof of concept code can be downloaded at http://security.lss.hr/PoC

==[ Credits

Credits for this vulnerability goes to Leon Juranic <ljuraniclss.hr>.

==[ LSS Security Contact

LSS Security Team,

WWW : http://security.lss.hr
E-mail : securityLSS.hr
Tel : +385 1 6129 775

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]