-------------------------------------------------------------------------------
| SurgeFtp Server BufferOverflow Vulnerability|
--------------------------------------------------------------------------------
Summary
================
SurgeFTP Server has a buffer overflow vulnerability which effects
denial of service or potential remote code execution.
CVE number: CVE-2013-4742
Impact: High
Vendor homepage:
http://netwinsite.com/cgi-bin/keycgi.exe?cmd=download&product=surgeftp
Vendor notified: 22/05/2013
Vendor fixed: 30/05/2013
Affected Products
=================
SurgeFTP Server 23c8 and older linux versions.
Details
==================
The bug was triggered during authentication of ftp service .The root
cause of the problem is processing a very long line with no 'crlf' ,
resulting in a memmove operation past the end of a buffer, and that
would turn in corruption in a random way on heap or stack.Unless the
injection vector effect is not so stable ,one of the possibility of
code execution is "vfprint" function which you can exploit by calling
a next library function that exists and writable on GOT entry . The
following you can see EIP can be owned by ECX+0x1c address. Software
was complied with NX and code execution can be done by using ROP.
Gnu debugger enabled with pead output=>
EAX: 0x3b93b70 ("22 13:15:14.00: <-- ", 'F' <repeats 80 times>, "\n")
EBX: 0x353ff4 --> 0xb4cd7c
ECX: 0x54545454 ('AAAA')
EDX: 0x65 ('e')
ESI: 0xb7611700 ('C' <repeats 72 times>, "T\333q\003", 'T' <repeats
124 times>...)
EDI: 0x1
EBP: 0x3b95c34 --> 0x3b961f8 --> 0x3b96218 --> 0x3b96e18 --> 0x3b97df8
--> 0x3b99258 --> 0x3b99698 --> 0x3b9a2e8 --> 0x3b9a338 --> 0x3b9a388
--> 0x3b9a498 --> 0x0
ESP: 0x3b93b54 --> 0xb7611700 ('C' <repeats 72 times>, "T\333q\003",
'T' <repeats 124 times>...)
EIP: 0x206f15 (<buffered_vfprintf+277>: call DWORD PTR [ecx+0x1c])
Impact
================
DoS or RCE
Solution
================
Upgrade to SurgeFTP 23d2.
Twitter @pazwant