Re: Multiple Heap Overflows in FTP Desktop

[Vlad M <v_lion_77 () mail ru>]

In-Reply-To: <20030908202530.24144.qmail () sf-www1-symnsj securityfocus com>

The heap overflow bug has been fixed. The new FTP Desktop version is now available for downloading from 
http://www.ftpdesktop.net/download.html


> Received: (qmail 27051 invoked from network); 8 Sep 2003 20:49:01 -0000
> Received: from outgoing3.securityfocus.com (205.206.231.27)
>  by mail.securityfocus.com with SMTP; 8 Sep 2003 20:49:01 -0000
> Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
>       by outgoing3.securityfocus.com (Postfix) with QMQP
>       id 90883A30EE; Mon,  8 Sep 2003 14:53:45 -0600 (MDT)
> Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <bugtraq.list-id.securityfocus.com>
> List-Post: <mailto:bugtraq () securityfocus com>
> List-Help: <mailto:bugtraq-help () securityfocus com>
> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com>
> Delivered-To: mailing list bugtraq () securityfocus com
> Delivered-To: moderator for bugtraq () securityfocus com
> Received: (qmail 8052 invoked from network); 8 Sep 2003 14:26:31 -0000
> Date: 8 Sep 2003 20:25:30 -0000
> Message-ID: <20030908202530.24144.qmail () sf-www1-symnsj securityfocus com>
> Content-Type: text/plain
> Content-Disposition: inline
> Content-Transfer-Encoding: binary
> MIME-Version: 1.0
> X-Mailer: MIME-tools 5.411 (Entity 5.404)
> From: Bahaa Naamneh <b_naamneh () hotmail com>
> To: bugtraq () securityfocus com
> Subject: Multiple Heap Overflows in FTP Desktop
>
>
>
> Multiple Heap Overflows in FTP Desktop
>
>
> Introduction:
> =============
> "FTP Desktop lets you access FTP sites as if they were folders on your
> computer.
> Now you can move your files between your hard disk and remote FTP sites
> with greater ease."
> - Vendors Description
>   [ http://www.ftpdesktop.com ]
>
> Note:
> FTP Desktop is fully integrated into Windows Explorer, so the actual 
> module
> at fault appears as 'explorer.exe'.
>
>
> Details:
> ========
> Vulnerable systems: FTP Desktop version 3.5 (and possibly earlier
> versions).
>
> Vulnerability: It is possible to cause a Heap overflow in FTP Desktop,
> allowing total modification of the EIP pointer - this can be maliciously
> altered to allow remote arbitrary code execution. The overflow occurs in
> the FTP banner and others areas as it shown here:
>
> FTP Banner:
> -----------
> (FTP Desktop connected...)
>    PADDING EBP  EIP
> 220 [229xA][4xB][4xX]
> (Access violation when executing 0x58585858) // 4xX
>
> Username:
> ---------
> (FTP Desktop Sends 'USER username')
>    PADDING EBP  EIP
> 331 [229xA][4xB][4xX]
> (Access violation when executing 0x58585858) // 4xX
>
> Password:
> ---------
> (FTP Desktop Sends 'PASS password')
>    PADDING EBP  EIP
> 331 [229xA][4xB][4xX]
> (Access violation when executing 0x58585858) // 4xX
>
>
> Vendor status:
> ==============
> The vendor has been informed, and they are fixing this bug.
> The updated version, when released, can be downloaded from:
>
> http://www.ftpdesktop.net/download.html
> [ http://www.ftpdesktop.net/download/ftpsetup.exe ]
>
>
> Exploit:
> ========
> http://www.elitehaven.net/ftpdesktop.zip
>
> (I would thank Peter Winter-Smith for helping me in the exploitation)
>
>
> Discovered by/Credit:
> =====================
> Bahaa Naamneh
> b_naamneh () hotmail com