|
|
|
|
| |
SapporoWorks BlackJumboDog is an integrated open-source proxy server, web server and FTP server developed by SapporoWorks for Microsoft Windows platforms.
BlackJumboDog version 3.6.1 is vulnerable to a buffer overflow in its FTP server. |
| |
Credit:
The information has been provided by Chew Keong TAN.
|
| |
Vulnerable Systems:
* BlackJumboDog version 3.6.1
Immune Systems:
* BlackJumboDog version 3.6.2
Impact:
By sending a specially crafted FTP request containing a long parameter string in the USER, PASS, RETR, CWD, XMKD, XRMD or various other commands, a remote attacker could cause a stack overflow and execute arbitrary code.
Technical Details:
This vulnerability is caused by an unsafe strcpy() that copies the entire parameter of the user's FTP command to a stack buffer of 256 bytes. For example, suppose that the user's FTP client issues the following command.
USER xxxxxxxxxxxx
The command parameter "xxxxxxxxxxxx" will be copied to a 256 bytes buffer using strcpy(). Hence, by crafting an FTP command with an overly long parameter, a remote attacker could trigger a stack overflow and execute arbitrary code. The attacker do not need to have a valid account on the FTP server since the overflow can be triggered prior to authentication using the USER command.
Vendor Status:
The author has fixed the bug in version 3.6.2. Users are advised to upgrade to the fixed version.
|
|
|
|
|
|
|
