Bugtraq mailing list archives
Re: Multiple Heap Overflows in FTP Desktop
From: Vlad M <v_lion_77 () mail ru>
Date: 17 Oct 2003 23:49:35 -0000
In-Reply-To: <20030908202530.24144.qmail () sf-www1-symnsj securityfocus com> The heap overflow bug has been fixed. The new FTP Desktop version is now available for downloading from http://www.ftpdesktop.net/download.html
Received: (qmail 27051 invoked from network); 8 Sep 2003 20:49:01 -0000 Received: from outgoing3.securityfocus.com (205.206.231.27) by mail.securityfocus.com with SMTP; 8 Sep 2003 20:49:01 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) by outgoing3.securityfocus.com (Postfix) with QMQP id 90883A30EE; Mon, 8 Sep 2003 14:53:45 -0600 (MDT) Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:bugtraq () securityfocus com> List-Help: <mailto:bugtraq-help () securityfocus com> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com> Delivered-To: mailing list bugtraq () securityfocus com Delivered-To: moderator for bugtraq () securityfocus com Received: (qmail 8052 invoked from network); 8 Sep 2003 14:26:31 -0000 Date: 8 Sep 2003 20:25:30 -0000 Message-ID: <20030908202530.24144.qmail () sf-www1-symnsj securityfocus com> Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) From: Bahaa Naamneh <b_naamneh () hotmail com> To: bugtraq () securityfocus com Subject: Multiple Heap Overflows in FTP Desktop Multiple Heap Overflows in FTP Desktop Introduction: ============= "FTP Desktop lets you access FTP sites as if they were folders on your computer. Now you can move your files between your hard disk and remote FTP sites with greater ease." - Vendors Description [ http://www.ftpdesktop.com ] Note: FTP Desktop is fully integrated into Windows Explorer, so the actual module at fault appears as 'explorer.exe'. Details: ======== Vulnerable systems: FTP Desktop version 3.5 (and possibly earlier versions). Vulnerability: It is possible to cause a Heap overflow in FTP Desktop, allowing total modification of the EIP pointer - this can be maliciously altered to allow remote arbitrary code execution. The overflow occurs in the FTP banner and others areas as it shown here: FTP Banner: ----------- (FTP Desktop connected...) PADDING EBP EIP 220 [229xA][4xB][4xX] (Access violation when executing 0x58585858) // 4xX Username: --------- (FTP Desktop Sends 'USER username') PADDING EBP EIP 331 [229xA][4xB][4xX] (Access violation when executing 0x58585858) // 4xX Password: --------- (FTP Desktop Sends 'PASS password') PADDING EBP EIP 331 [229xA][4xB][4xX] (Access violation when executing 0x58585858) // 4xX Vendor status: ============== The vendor has been informed, and they are fixing this bug. The updated version, when released, can be downloaded from: http://www.ftpdesktop.net/download.html [ http://www.ftpdesktop.net/download/ftpsetup.exe ] Exploit: ======== http://www.elitehaven.net/ftpdesktop.zip (I would thank Peter Winter-Smith for helping me in the exploitation) Discovered by/Credit: ===================== Bahaa Naamneh b_naamneh () hotmail com
Current thread:
- Re: Multiple Heap Overflows in FTP Desktop Vlad M (Oct 20)