INFIGO IS Security Advisory #ADV-2006-05-03 http://www.infigo.hr/ Title: Multiple FTP Servers vulnerabilities Advisory ID: INFIGO-2006-05-03 Date: 2006-05-05 Advisory URL: http://www.infigo.hr/hr/in_focus/advisories/INFIGO-2006-05-03 Impact: Remote code execution and DoS Risk Level: High Vulnerability Type: Remote Vendors Status: Multiple vendors contacted. ==[ Overview Infigo IS released a simple GUI FTP fuzzer which can be downloaded from http://www.infigo.hr/hr/in_focus/tools. The announcement which was posted to multiple security groups included an overview of several vulnerabilities discovered with the Fuzzer. This advisory is published due to some misinterpretations in further reposts discussing discovered vulnerabilities. Vulnerabilities described in this advisory were found in the following FTP server software products: - ArgoSoft FTP Server - Golden FTP Server - Filezilla - War FTP Daemon - Guild FTP Server ==[ Vulnerabilities Fuzzing various FTP servers discovered numerous security flaws in the FTP server software. Several of them are described below. -[ ArgoSoft FTP Server buffer overflow Multiple vulnerabilities were discovered in ArgoSoft FTP Server. In a simple unicode buffer overflow in the 'RNTO' command with an argument size of about 3000 with the fuzz string '&A', EIP will be overflowed with 0x00260047 (fuzzer input). This vulnerability allows remote code execution. -[ Golden FTP Server buffer overflow Among other vulnerabilities, Golden FTP Server discloses unnecessary information. When an exception occurs in the server process, Golden FTP Server will pass the exception code with detailed info on the exception to the FTP client which caused it. Example: ... [ CMD: [CWD] FUZZ: [//A://A://A://A://A:] SIZE: 150 ] RECV: 550 Access violation at address 004A291C in module 'GFTPpro.exe'. Read of address 00000001 [ CMD: [CWD] FUZZ: [//A://A://A://A://A:] SIZE: 330 ] RECV: 550 Access violation at address 00402CDF in module 'GFTPpro.exe'. Read of address 2F3A412F ... It is possible to obtain information on the process memory environment. In the second exception, the process can't read from address 0x2F3A412F which represents the string "/:A/" that was sent to the FTP server by the Fuzzer. The exception is caused by a stack overflow in the NLST command when a long argument with a specially constructed value is passed to it. Exploiting the vulnerability is simple, because it is possible to overflow the SEH handler and return to the 'pop-pop-ret' where the buffer is located. This allows remote code execution, not just DoS as stated in some reposts. -[ FileZilla vulnerabilities A few vulnerabilities in FileZilla weren't investigated beyond the crash. At the moment there is no further information whether those vulnerabilities are exploitable. The first vulnerability is triggered by sending a long PORT or PASS command (30 bytes) and MLSD command after it. This causes FileZilla to crash (DoS). The second vulnerability found in the FileZilla Server interface also leads to the DoS conditions. -[ War FTP Daemon WDM.exe overflow Fuzzing the WarFTP Daemon raised multiple exceptions. Example: WDM.exe (Wardaemon Manager) will crash on "MOV DWORD PTR [EDX], ESI", where attacker controls both EDX and ESI registers. This scenario could lead to remote code execution. -[ Guild FTP Server buffer overflow Fuzzing the Guild FTP Server discovered remote unicode buffer overflow probably related to the 'globbing chars'. EIP is overflowed with the Fuzzer's input. The issue was not further investigated. ==[ Affected Version Latest ArgoSoft FTP server (1.4.3.6), Golden FTP server (2.70), FileZilla (2.2.22), WarFTP Daemon and Guild FTP Server (0.999.13). ==[ Fix Not available. ==[ PoC Exploit No PoC available. ==[ Credits Vulnerabilities discovered by Leon Juranic <leon.juranic<img src="/imgs/at.gif" border=0 align=middle>infigo.hr> ==[ INFIGO IS Security Contact INFIGO IS, WWW : http://www.infigo.hr E-mail : infocus<img src="/imgs/at.gif" border=0 align=middle>infigo.hr ==[ Revision history 2006-05-04, Original advisory published Revision 01, 2006-05-05, Guild FTP Server vulnerability added