Bugtraq mailing list archives
Re: LeapFTP .lsq Buffer Overflow Vulnerability
From: Kaveh Razavi <c0d3rz_team () yahoo com>
Date: Thu, 25 Aug 2005 11:50:16 -0700 (PDT)
I talked on this issue with kf . reading unicodeproof shellcode in phrake magazine is extremely recommended . I add the replys with kf as an attachment . might be useful . c0d3r of IHS Network Security Researcher --- Damien Palmer <alacrity () gmail com> wrote:
Seeing as how, given a large enough buffer, it is relatively easy to write arbitrary shell code using just ASCII characters, the larger unicode space would make this even easier. Unless there are some pretty severe unlisted restrictions on either the length or content of the overflow string, making an exploit is practically trivial. If you want a quick'n'dirty overview of shell code using a very limited subset of ASCII you can refer to the lecture notes from a unix security class I took in Fall 2004 (starting on page 5 of this document): http://cr.yp.to/2004-494/0910.pdf -D On 8/24/05, Kaveh Razavi <c0d3rz_team () yahoo com> wrote:it is not a high risk vulnerability . chance of making an stable exploit in a unicode overflow is low . Regards c0d3r of IHS Network Security ReseacherLeapFTP .lsq Buffer Overflow Vulnerability by Sowhat Last Update:2005.08.24 http://secway.org/advisory/AD20050824.txt Vendor: LeapWare Inc. Product Affected: LeapFTP < 2.7.6.612 Overview: LeapFTP is the award-winning shareware FTPclientthat combines an intuitive interface with one of the mostpowerfulclient bases around. Details: .LSQ is the LeapFTP Site Queue file, And it is registered with Windows by LeapFTP. You can save a transfer Queue to.lsqfiles and transfer it later by opening the .lsq files. However, LeapFTP does not properly check thelengthof the "Host" fields, when a overly long string is supplied, therewill bea buffer overflow and probably arbitrary code execution. This vulnerability can be exploited by sendingthemalformed .lsq file to the victim, after the victim open the .lsqfile,arbitray code may executed. //bof.lsq [HOSTINFO] HOST=AAAAA...[ long string ]...AAAAA USER=username PASS=password [FILES]"1","/winis/ApiList.zip","477,839","E:\ApiList.zip"SOLUTION: All users are encouraged to upgrade to 2.7.6 immediately Vendor also released an advisory: http://www.leapware.com/security/2005082301.txt Vendor Response: 2005.08.22 Vendor notified via online WebForm 2005.08.23 Vendor responsed and bug fixed 2005.08.24 Vendor released the new version2.7.6.6122005.08.24 Advisory Released';" type="text/css"> __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spamprotection aroundhttp://mail.yahoo.com
';" type="text/css"> __________________________________ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail
Attachment:
unicode.txt
Description: 901836124-unicode.txt
Current thread:
- LeapFTP .lsq Buffer Overflow Vulnerability Sowhat . (Aug 24)
- Re: LeapFTP .lsq Buffer Overflow Vulnerability Kaveh Razavi (Aug 24)
- Re: LeapFTP .lsq Buffer Overflow Vulnerability Damien Palmer (Aug 25)
- Re: LeapFTP .lsq Buffer Overflow Vulnerability Kaveh Razavi (Aug 25)
- Re: LeapFTP .lsq Buffer Overflow Vulnerability Damien Palmer (Aug 25)
- Re: LeapFTP .lsq Buffer Overflow Vulnerability Kaveh Razavi (Aug 24)