Surge FTP 23c8 Buffer Overflow

2013.07.24
Credit: Anil Pazvant
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

------------------------------------------------------------------------------- | SurgeFtp Server BufferOverflow Vulnerability| -------------------------------------------------------------------------------- Summary ================ SurgeFTP Server has a buffer overflow vulnerability which effects denial of service or potential remote code execution. CVE number: CVE-2013-4742 Impact: High Vendor homepage: http://netwinsite.com/cgi-bin/keycgi.exe?cmd=download&product=surgeftp Vendor notified: 22/05/2013 Vendor fixed: 30/05/2013 Affected Products ================= SurgeFTP Server 23c8 and older linux versions. Details ================== The bug was triggered during authentication of ftp service .The root cause of the problem is processing a very long line with no 'crlf' , resulting in a memmove operation past the end of a buffer, and that would turn in corruption in a random way on heap or stack.Unless the injection vector effect is not so stable ,one of the possibility of code execution is "vfprint" function which you can exploit by calling a next library function that exists and writable on GOT entry . The following you can see EIP can be owned by ECX+0x1c address. Software was complied with NX and code execution can be done by using ROP. Gnu debugger enabled with pead output=> EAX: 0x3b93b70 ("22 13:15:14.00: <-- ", 'F' <repeats 80 times>, "\n") EBX: 0x353ff4 --> 0xb4cd7c ECX: 0x54545454 ('AAAA') EDX: 0x65 ('e') ESI: 0xb7611700 ('C' <repeats 72 times>, "T\333q\003", 'T' <repeats 124 times>...) EDI: 0x1 EBP: 0x3b95c34 --> 0x3b961f8 --> 0x3b96218 --> 0x3b96e18 --> 0x3b97df8 --> 0x3b99258 --> 0x3b99698 --> 0x3b9a2e8 --> 0x3b9a338 --> 0x3b9a388 --> 0x3b9a498 --> 0x0 ESP: 0x3b93b54 --> 0xb7611700 ('C' <repeats 72 times>, "T\333q\003", 'T' <repeats 124 times>...) EIP: 0x206f15 (<buffered_vfprintf+277>: call DWORD PTR [ecx+0x1c]) Impact ================ DoS or RCE Solution ================ Upgrade to SurgeFTP 23d2. Twitter @pazwant

References:

http://netwinsite.com/cgi-bin/keycgi.exe?cmd=download&product=surgeftp


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top