Bugtraq mailing list archives

Re: CuteFTP 5.0 XP, Buffer Overflow

From: <robert () globalscape com>
Date: 18 Jun 2003 12:47:03 -0000

In-Reply-To: <20030206045629.9764.qmail () mail securityfocus com>

Re: thread below, the new LIST defect and long URL buffer overflow defect 
have been fixed in version 5.0.2 (released June 9th). This version is 
available at:
http://www.globalscape.com/cuteftp and ftp://ftp.cuteftp.com/pub/cuteftp
Please uninstall 5.0.1, 5.0 or earlier versions and install 5.0.2. to 
address these issues. Read the notes.txt file included in the install for 
more details.

Robert Oslin
Product Manager
GlobalSCAPE Texas, LP.
=====================

[205.206.231.19])

      by outgoing3.securityfocus.com (Postfix) with QMQP
      id E901AA30D8; Thu,  6 Feb 2003 08:44:49 -0700 (MST)
Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq () securityfocus com>
List-Help: <mailto:bugtraq-help () securityfocus com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com>
List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com>
Delivered-To: mailing list bugtraq () securityfocus com
Delivered-To: moderator for bugtraq () securityfocus com
Received: (qmail 27960 invoked from network); 6 Feb 2003 04:55:20 -0000
Message-ID: <20030206045629.9764.qmail () mail securityfocus com>
Date: Thu, 06 Feb 2003 13:56:06 +0900
From: Kanatoko <anvil () jumperz net>
To: bugtraq () securityfocus com
Subject: Re: CuteFTP 5.0 XP, Buffer Overflow
In-Reply-To: <BAY2-F14x4qfU1gqs600002752f () hotmail com>
References: <BAY2-F14x4qfU1gqs600002752f () hotmail com>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Mailer: Becky! ver 1.26.09


Cute FTP 5.0 XP, build 51.1.23.1 was released, but it is still
vulnerable against the same issue.

Sending 780 bytes( in previous build, it was 257 bytes )  as a reply to
LIST command cause a stack overflow.

# BTW, I found another buffer overflow problem. Copy long url like
# "ftp://AAAAAAAAAAA....AAAAAAAAAAA/";
# to clipboard and execute CuteFTP. It will crash immediately.
# Seems like a bug, not a security hole.

-- 
Kanatoko<anvil () jumperz net>
http://www.jumperz.net/
irc.friend.td.nu:6667 #ouroboros



On Sat, 18 Jan 2003 06:25:31 +0000
"Lance Fitz-Herbert" <fitzies () hotmail com> wrote:

Advisory 07:
------------
Buffer Overflow In CuteFTP 5.0 XP


Discovered:
-----------
By Me, Lance Fitz-Herbert (aka phrizer).
September 4th, 2002


Vulnerable Applications:
------------------------
Tested On CuteFTP 5.0 XP, build 50.6.10.2
Others could be vulnerable...


Impact:
-------
Medium,
This could allow arbitary code to be executed on the remote victims

machine,

if the attacker is
successfull in luring a victim onto his server.


Details:
--------
When a FTP Server is responding to a "LIST" (directory listing)

command, the

response is sent
over a data connection. Sending 257 bytes over this connection will

cause a

buffer to overflow,
and the EIP register can be overwritten completely by sending 260 bytes

of

data.


Vendor Status:
--------------
Contacted GlobalSCAPE Jan 14th 2003, After a couple of emails back and

forth

within a few days, they
confirmed the problem, and siad they are working on a release for

Monday

(20th Jan, 03) which will address
the issue.


Solution:
---------
Upgrade to new version which should be avalible from Monday (20th Jan,

03).



Exploit:
--------
Not released.


Contacting Me:
--------------
    ICQ: 23549284
    IRC: irc.dal.net #KORP



----
NOTE: Because of the amount of spam i receive, i require all emails *to

me*

to contain the word "nospam" in the subject line somewhere. Else i

might not

get your email. thankyou.
----






_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE* 
http://join.msn.com/?page=features/virus

Current thread:

Re: CuteFTP 5.0 XP, Buffer Overflow robert (Jun 18)