------------------------------------------------------------------------------- | SurgeFtp Server BufferOverflow Vulnerability| -------------------------------------------------------------------------------- Summary ================ SurgeFTP Server has a buffer overflow vulnerability which effects denial of service or potential remote code execution. CVE number: CVE-2013-4742 Impact: High Vendor homepage: http://netwinsite.com/cgi-bin/keycgi.exe?cmd=download&product=surgeftp Vendor notified: 22/05/2013 Vendor fixed: 30/05/2013 Affected Products ================= SurgeFTP Server 23c8 and older linux versions. Details ================== The bug was triggered during authentication of ftp service .The root cause of the problem is processing a very long line with no 'crlf' , resulting in a memmove operation past the end of a buffer, and that would turn in corruption in a random way on heap or stack.Unless the injection vector effect is not so stable ,one of the possibility of code execution is "vfprint" function which you can exploit by calling a next library function that exists and writable on GOT entry . The following you can see EIP can be owned by ECX+0x1c address. Software was complied with NX and code execution can be done by using ROP. Gnu debugger enabled with pead output=> EAX: 0x3b93b70 ("22 13:15:14.00: <-- ", 'F' <repeats 80 times>, "\n") EBX: 0x353ff4 --> 0xb4cd7c ECX: 0x54545454 ('AAAA') EDX: 0x65 ('e') ESI: 0xb7611700 ('C' <repeats 72 times>, "T\333q\003", 'T' <repeats 124 times>...) EDI: 0x1 EBP: 0x3b95c34 --> 0x3b961f8 --> 0x3b96218 --> 0x3b96e18 --> 0x3b97df8 --> 0x3b99258 --> 0x3b99698 --> 0x3b9a2e8 --> 0x3b9a338 --> 0x3b9a388 --> 0x3b9a498 --> 0x0 ESP: 0x3b93b54 --> 0xb7611700 ('C' <repeats 72 times>, "T\333q\003", 'T' <repeats 124 times>...) EIP: 0x206f15 (<buffered_vfprintf+277>: call DWORD PTR [ecx+0x1c]) Impact ================ DoS or RCE Solution ================ Upgrade to SurgeFTP 23d2. Twitter @pazwant