Re: LeapFTP .lsq Buffer Overflow Vulnerability

[Kaveh Razavi <c0d3rz_team () yahoo com>]

I talked on this issue with kf .
reading unicodeproof shellcode in phrake magazine is
extremely recommended .
I add the replys with kf as an attachment .
might be useful .

c0d3r of IHS
Network Security Researcher 

--- Damien Palmer <alacrity () gmail com> wrote:

> Seeing as how, given a large enough buffer, it is
> relatively easy to
> write arbitrary shell code using just ASCII
> characters, the larger
> unicode space would make this even easier.  Unless
> there are some
> pretty severe unlisted restrictions on either the
> length or content of
> the overflow string, making an exploit is
> practically trivial.
>
> If you want a quick'n'dirty overview of shell code
> using a very
> limited subset of ASCII you can refer to the lecture
> notes from a unix
> security class I took in Fall 2004 (starting on page
> 5 of this
> document):  http://cr.yp.to/2004-494/0910.pdf
>
> -D
>
>
> On 8/24/05, Kaveh Razavi <c0d3rz_team () yahoo com>
> wrote:
> > it is not a high risk vulnerability .
> > chance of making an stable exploit in a unicode
> > overflow is low .
> > Regards
> >
> > c0d3r of IHS
> > Network Security Reseacher
> >
> > > LeapFTP .lsq Buffer Overflow Vulnerability
> > >
> > > by Sowhat
> > >
> > > Last Update:2005.08.24
> > >
> > > http://secway.org/advisory/AD20050824.txt
> > >
> > > Vendor:
> > >
> > > LeapWare Inc.
> > >
> > > Product Affected:
> > >
> > > LeapFTP < 2.7.6.612
> > >
> > > Overview:
> > >
> > > LeapFTP is the award-winning shareware FTP
> client
> > > that combines an
> > > intuitive interface with one of the most
> powerful
> > > client bases around.
> > >
> > >
> > > Details:
> > >
> > > .LSQ is the LeapFTP Site Queue file, And it is
> > > registered with Windows
> > > by LeapFTP. You can save a transfer Queue to
> .lsq
> > > files and transfer it
> > > later by opening the .lsq files.
> > >
> > > However, LeapFTP does not properly check the
> length
> > > of the "Host" fields,
> > > when a overly long string is supplied, there
> will be
> > > a buffer overflow
> > > and probably arbitrary code execution.
> > >
> > > This vulnerability can be exploited by sending
> the
> > > malformed .lsq file
> > > to the victim, after the victim open the .lsq
> file,
> > > arbitray code may
> > > executed.
> > >
> > >
> > > //bof.lsq
> > >
> > > [HOSTINFO]
> > > HOST=AAAAA...[ long string ]...AAAAA
> > > USER=username
> > > PASS=password
> > >
> > > [FILES]
> "1","/winis/ApiList.zip","477,839","E:\ApiList.zip"
> > > SOLUTION:
> > >
> > > All users are encouraged to upgrade to 2.7.6
> > > immediately
> > > Vendor also released an advisory:
> > > http://www.leapware.com/security/2005082301.txt
> > >
> > > Vendor Response:
> > >
> > > 2005.08.22 Vendor notified via online WebForm
> > > 2005.08.23 Vendor responsed and bug fixed
> > > 2005.08.24 Vendor released the new version
> 2.7.6.612
> > > 2005.08.24 Advisory Released
> >
> >
> >
> > ';" type="text/css">
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com


';" type="text/css">



                
__________________________________ 
Do you Yahoo!? 
Read only the mail you want - Yahoo! Mail SpamGuard. 
http://promotions.yahoo.com/new_mail

Attachment: unicode.txt
Description: 901836124-unicode.txt