Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: bt392.txt

SmartFTP - Two Buffer Overflow Vulnerabilities






----------------------------------------------------------------------
SUMMARY        : [SmartFTP] Two Buffer Overflow Vulnerabilities
PRODUCT        : SmartFTP
VERSIONS       : 1.0.973
VENDOR         : SmartFTP (http://www.smartftp.com/)
SEVERITY       : Critical.
                 Code Execution.
DISCOVERED BY  : nesumin
AUTHOR         : :: Operash ::
REPORTED DATE  : 2003-05-07
RELEASED DATE  : 2003-06-09
----------------------------------------------------------------------

0. PRODUCTS
=============

  SmartFTP is a GUI base FTP Client for Windows.
  SmartFTP.com (http://www.smartftp.com/)


1. DESCRIPTION
================

  SmartFTP has following two buffer overflow vulnerabilities;

  1. The buffer overflow vulnerability in the reply for PWD command.

    If the reply that contains a long address is returned from
    a server for "PWD" command request, the buffer overflow occurs
    on the stack area.
    By exploiting this vulnerability, an attacker can execute
    an arbitrary code on the user's system if the user connects
    to the malicious server.


  2. The heap buffer overrun vulnerability in the File List.

    If the File List that contains a line of long string is returned
    from a server, the buffer overrun occurs on the heap area.
    By exploiting this vulnerability, an attacker possibly could
    execute an arbitrary code on the user's system if the user
    connects to the malicious server.


  With these vulnerabilities, there could be following risks;

  * Infection with Virus or Trojan, etc.
  * Destruction of the system.
  * Leak or alteration of the local data.


2. SYSTEMS AFFECTED
=====================

  SmartFTP 1.0.973
  And previous versions may also have this vulnerability.


3. SYSTEMS NOT AFFECTED
=========================

  SmartFTP 1.0.976


4. EXAMINES
=============

  Tested versions :
    SmartFTP 1.0.973
    SmartFTP 1.0.976

  Tested platforms :
    Windows 98SE Japanese
    Windows 2000 Professional SP3 Japanese


5. VENDOR STATUS
==================

  2003-05-07  Vendor released fixed-version (1.0.976)
              and described the fix in the change log.

              Reference: http://www.smartftp.com/changelog.php


6. SOLUTION
=============

  Upgrade to version 1.0.976 or later version.


7. TECHNICAL DETAILS
======================

  1. The buffer overflow vulnerability in the reply for PWD command.

    SmartFTP requests a current directory using "PWD" command when it's
    connected to a FTP server.
    And then the buffer overflow occurs on the stack area if
    the server's reply for "PWD" request has a long directory name
    such as following.

    Example:

      ---> PWD
      <--- 257 "AAAAAAAAAA ..... (over 0x208 bytes) ....." is current directory.

    If a saved RET address is overwritten with the address of buffer
    that has an arbitrary code or the address of instruction data
    that redirects to there, the processing path moves to that buffer.

    Therefore, it is able to execute an arbitrary code as
    the privilege of SmartFTP process.


  2. The heap buffer overrun vulnerability in the File List.

    SmartFTP requests a File List to the FTP server using "LIST"
    command or etc when it connected to the server.
    And the buffer overrun occurs on the heap area if the returned
    File List has a line of long string like following.

    Example:

      dr-xr-xr-x 1 owner group 123 Feb 1 00:00 .
      AAAAAAAAAAA ..... (over 0x5000 bytes) .....
      -r-xr-xr-x 1 owner group 123 Feb 1 00:00 filename.ext

    This buffer overrun can overwrite an arbitrary memory area with
    arbitrary values if it overwrites a Win32 Heap Manager records
    with a manipulated data.
    And overwriting the data related with a Structured Exception
    Handling, it is possible to make the processing path move to
    a specified address.

    Therefore an attacker possibly could execute as the privilege
    of SmartFTP process an arbitrary code.
    (However it can be difficult actually)


  The overflowed data is converted to UNICODE, that conversions are
  different in each system locales.


8. SAMPLE CODE
================

  None release.


9. TIME TABLE
===============

  2003-04-20  Discovered these vulnerabilities.
  2003-05-07  Reported to vendor.
  2003-05-07  Received a reply and a fixed-version(1) from vendor.
  2003-05-07  Found a problem still left, and reported it to vendor.
  2003-05-07  Received a fixed-version(2) from vendor.
  2003-05-07  Discovered a new bug, and reported it to vendor.
  2003-05-07  Received a fixed-version(3) from vendor.
  2003-05-07  Conveyed to vendor that the fix has been done.
  2003-05-07  Vendor released fixed-version.
  2003-06-09  Released this advisory.


10. DISCLAIMER
===============

  A. We cannot guarantee the accuracy of all statements in this information.
  B. We do not anticipate issuing updated versions of this information
     unless there is some material change in the facts.
  C. And we will take no responsibility for any kinds of disadvantages by
     using this information.
  D. You can quote this advisory without our permission if you keep the following;
     a. Do not distort this advisory's content.
     b. A quoted place should be a medium on the Internet.
  E. If you have any questions, please contact to us.


  * Exception

     We strictly forbid 'Secunia' (http://www.secunia.com/) to republish or
     redistribute our advisory.


11. CONTACT, ETC
=================

  :: Operash ::

  imagine (Operash Webmaster)
  nesumin <nesumin@softhome.net>


  Thanks to :

    melorin
    piso(sexy)



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH