Work in Progress: FileZilla Server Terminal V0.9.4d Buffer Overflow

[inge.henriksen () booleansoft com]

** Inge Henriksen Security Advisory inge.henriksen () booleansoft com **

I have discovered a buffer overflow in FileZilla Server Terminal 0.9.4d. The exploit is still to be considered as a 
work in progress as it is still not clear to me why the exploit works on some systems and not others. Please let me 
know if you manage to reproduce the exploit and perhaps we can figure out the differences.

Stable Exploit Test System
Microsoft Windows XP Professional Service Pack 2 (Build 2600)

Tecnical Description
The FileZilla Server has a user interface that is used to configure and monitor the FileZilla Server. By sending a long 
USER ftp command to the FileZilla Server a successfull attack may crash the FileZilla Server Terminal process. Note 
that the FileZilla Server itself does not crash.

Proof of Concept
The exploit is somewhat diffcult to exploit. On the stable exploit test system I have understood that the following 
steps will crash the FileZilla Server Terminal process:


Start the FileZilla Server
Start the FileZilla Server Terminal and login to the FileZilla Server started in step 1
Send the following USER commands; "USER A", "USER AA", "USER AAA" etc incrementing by one letter ("A") in the command.
The FileZilla Server Terminal usually crashes after about 900-3000 "A"s' . The rpt file says the following:

System details:
---------------
Operating System:
Microsoft Windows XP Professional Service Pack 2 (Build 2600)
Processor Information: Vendor: GenuineIntel ,Speed: 1728MHz ,Type: Intel Pentium compatible,Number Of Processors: 1 
,Architecture: Intel ,Level: Pentium II/Pro,Stepping: 33-36
Memory Information: Memory Used 69%, Total Physical Memory 769328KB, Physical Memory Available 233460KB, Total Virtual 
Memory 2097024KB, Available Virtual Memory 2061140KB, Working Set Min : 200KB Max : 1380KB .

Exception Details:
------------------
Exception code: C0000005 ACCESS_VIOLATION
Fault address: 7C910F29 01:0000FF29 C:\WINDOWS\system32\ntdll.dll

Call stack:
-----------
Address Frame Function SourceFile
7C910F29 0012FA9C 0001:0000FF29 C:\WINDOWS\system32\ntdll.dll
7C910D5C 0012FB70 0001:0000FD5C C:\WINDOWS\system32\ntdll.dll
00438A1A 0012FBAC 0001:00037A1A C:\Programfiler\FileZilla Server\FileZilla Server Interface.exe
00405049 0012FBD4 0001:00004049 C:\Programfiler\FileZilla Server\FileZilla Server Interface.exe
0040562C 0012FC00 0001:0000462C C:\Programfiler\FileZilla Server\FileZilla Server Interface.exe
77D38734 0012FC2C 0001:00007734 C:\WINDOWS\system32\USER32.dll77D38816 0012FC94 0001:00007816 
C:\WINDOWS\system32\USER32.dll
77D3C63F 0012FCC4 0001:0000B63F C:\WINDOWS\system32\USER32.dll77D3E905 0012FCE4 0001:0000D905 
C:\WINDOWS\system32\USER32.dll
0045F924 0012FD58 0001:0005E924 C:\Programfiler\FileZilla Server\FileZilla Server Interface.exe
77D38734 0012FD84 0001:00007734 C:\WINDOWS\system32\USER32.dll
77D38816 0012FDEC 0001:00007816 C:\WINDOWS\system32\USER32.dll
77D389CD 0012FE4C 0001:000079CD C:\WINDOWS\system32\USER32.dll
77D396C7 0012FE5C 0001:000086C7 C:\WINDOWS\system32\USER32.dll