Full Disclosure mailing list archives
Re: Re: LeapFTP .lsq Buffer Overflow Vulnerability
From: Paul Farrow <augm58 () dsl pipex com>
Date: Wed, 24 Aug 2005 22:43:25 +0100
However if you can successfully create a working exploit to execute arbitray code, simple calling the file something like
topsiteSVCDqueue.lsq and sticking it on some p2p networks... could probably score yourself a few hits.
... not that im suggesting anyone try this... that would just be wrong. Kaveh Razavi wrote:
it is not a high risk vulnerability . chance of making an stable exploit in a unicode overflow is low . Regards c0d3r of IHS Network Security ReseacherLeapFTP .lsq Buffer Overflow Vulnerability by Sowhat Last Update:2005.08.24 http://secway.org/advisory/AD20050824.txt Vendor: LeapWare Inc. Product Affected: LeapFTP < 2.7.6.612 Overview: LeapFTP is the award-winning shareware FTP clientthat combines an intuitive interface with one of the most powerful client bases around.Details: .LSQ is the LeapFTP Site Queue file, And it is registered with Windows by LeapFTP. You can save a transfer Queue to .lsq files and transfer itlater by opening the .lsq files.However, LeapFTP does not properly check the length of the "Host" fields, when a overly long string is supplied, there will be a buffer overflow and probably arbitrary code execution. This vulnerability can be exploited by sending the malformed .lsq file to the victim, after the victim open the .lsq file, arbitray code may executed. //bof.lsq [HOSTINFO] HOST=AAAAA...[ long string ]...AAAAA USER=username PASS=password [FILES] "1","/winis/ApiList.zip","477,839","E:\ApiList.zip" SOLUTION: All users are encouraged to upgrade to 2.7.6 immediately Vendor also released an advisory: http://www.leapware.com/security/2005082301.txt Vendor Response:2005.08.22 Vendor notified via online WebForm 2005.08.23 Vendor responsed and bug fixed2005.08.24 Vendor released the new version 2.7.6.612 2005.08.24 Advisory Released
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- LeapFTP .lsq Buffer Overflow Vulnerability Sowhat . (Aug 24)
- Re: LeapFTP .lsq Buffer Overflow Vulnerability Kaveh Razavi (Aug 24)
- Re: Re: LeapFTP .lsq Buffer Overflow Vulnerability Paul Farrow (Aug 24)
- Re: LeapFTP .lsq Buffer Overflow Vulnerability Damien Palmer (Aug 25)
- Re: LeapFTP .lsq Buffer Overflow Vulnerability Kaveh Razavi (Aug 24)