BugTraq
Back to list
|
Post reply
Re: CuteFTP 5.0 XP, Buffer Overflow
Jun 18 2003 12:47PM
robert globalscape com
In-Reply-To: <20030206045629.9764.qmail (at) mail.securityfocus (dot) com [email concealed]>
Re: thread below, the new LIST defect and long URL buffer overflow defect
have been fixed in version 5.0.2 (released June 9th). This version is
available at:
http://www.globalscape.com/cuteftp and ftp://ftp.cuteftp.com/pub/cuteftp
Please uninstall 5.0.1, 5.0 or earlier versions and install 5.0.2. to
address these issues. Read the notes.txt file included in the install for
more details.
Robert Oslin
Product Manager
GlobalSCAPE Texas, LP.
=====================
>Received: (qmail 5609 invoked from network); 6 Feb 2003 16:47:36 -0000
>Received: from outgoing3.securityfocus.com (205.206.231.27)
> by mail.securityfocus.com with SMTP; 6 Feb 2003 16:47:36 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id E901AA30D8; Thu, 6 Feb 2003 08:44:49 -0700 (MST)
>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed]; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe: <mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>Received: (qmail 27960 invoked from network); 6 Feb 2003 04:55:20 -0000
>Message-ID: <20030206045629.9764.qmail (at) mail.securityfocus (dot) com [email concealed]>
>Date: Thu, 06 Feb 2003 13:56:06 +0900
>From: Kanatoko <anvil (at) jumperz (dot) net [email concealed]>
>To: bugtraq (at) securityfocus (dot) com [email concealed]
>Subject: Re: CuteFTP 5.0 XP, Buffer Overflow
>In-Reply-To: <BAY2-F14x4qfU1gqs600002752f (at) hotmail (dot) com [email concealed]>
>References: <BAY2-F14x4qfU1gqs600002752f (at) hotmail (dot) com [email concealed]>
>MIME-Version: 1.0
>Content-Type: text/plain; charset=US-ASCII
>Content-Transfer-Encoding: 7bit
>X-Mailer: Becky! ver 1.26.09
>
>
>Cute FTP 5.0 XP, build 51.1.23.1 was released, but it is still
>vulnerable against the same issue.
>
>Sending 780 bytes( in previous build, it was 257 bytes ) as a reply to
>LIST command cause a stack overflow.
>
># BTW, I found another buffer overflow problem. Copy long url like
># "ftp://AAAAAAAAAAA....AAAAAAAAAAA/"
># to clipboard and execute CuteFTP. It will crash immediately.
># Seems like a bug, not a security hole.
>
>--
>Kanatoko<anvil (at) jumperz (dot) net [email concealed]>
>http://www.jumperz.net/
>irc.friend.td.nu:6667 #ouroboros
>
>
>
>On Sat, 18 Jan 2003 06:25:31 +0000
>"Lance Fitz-Herbert" <fitzies (at) hotmail (dot) com [email concealed]> wrote:
>
>> Advisory 07:
>> ------------
>> Buffer Overflow In CuteFTP 5.0 XP
>>
>>
>> Discovered:
>> -----------
>> By Me, Lance Fitz-Herbert (aka phrizer).
>> September 4th, 2002
>>
>>
>> Vulnerable Applications:
>> ------------------------
>> Tested On CuteFTP 5.0 XP, build 50.6.10.2
>> Others could be vulnerable...
>>
>>
>> Impact:
>> -------
>> Medium,
>> This could allow arbitary code to be executed on the remote victims
machine,
>> if the attacker is
>> successfull in luring a victim onto his server.
>>
>>
>> Details:
>> --------
>> When a FTP Server is responding to a "LIST" (directory listing)
command, the
>> response is sent
>> over a data connection. Sending 257 bytes over this connection will
cause a
>> buffer to overflow,
>> and the EIP register can be overwritten completely by sending 260 bytes
of
>> data.
>>
>>
>> Vendor Status:
>> --------------
>> Contacted GlobalSCAPE Jan 14th 2003, After a couple of emails back and
forth
>> within a few days, they
>> confirmed the problem, and siad they are working on a release for
Monday
>> (20th Jan, 03) which will address
>> the issue.
>>
>>
>> Solution:
>> ---------
>> Upgrade to new version which should be avalible from Monday (20th Jan,
03).
>>
>>
>> Exploit:
>> --------
>> Not released.
>>
>>
>> Contacting Me:
>> --------------
>> ICQ: 23549284
>> IRC: irc.dal.net #KORP
>>
>>
>>
>> ----
>> NOTE: Because of the amount of spam i receive, i require all emails *to
me*
>> to contain the word "nospam" in the subject line somewhere. Else i
might not
>> get your email. thankyou.
>> ----
>>
>>
>>
>>
>>
>>
>> _________________________________________________________________
>> MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*
>> http://join.msn.com/?page=features/virus
>>
>>
>
>
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Re: thread below, the new LIST defect and long URL buffer overflow defect
have been fixed in version 5.0.2 (released June 9th). This version is
available at:
http://www.globalscape.com/cuteftp and ftp://ftp.cuteftp.com/pub/cuteftp
Please uninstall 5.0.1, 5.0 or earlier versions and install 5.0.2. to
address these issues. Read the notes.txt file included in the install for
more details.
Robert Oslin
Product Manager
GlobalSCAPE Texas, LP.
=====================
>Received: (qmail 5609 invoked from network); 6 Feb 2003 16:47:36 -0000
>Received: from outgoing3.securityfocus.com (205.206.231.27)
> by mail.securityfocus.com with SMTP; 6 Feb 2003 16:47:36 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id E901AA30D8; Thu, 6 Feb 2003 08:44:49 -0700 (MST)
>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed]; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe: <mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>Received: (qmail 27960 invoked from network); 6 Feb 2003 04:55:20 -0000
>Message-ID: <20030206045629.9764.qmail (at) mail.securityfocus (dot) com [email concealed]>
>Date: Thu, 06 Feb 2003 13:56:06 +0900
>From: Kanatoko <anvil (at) jumperz (dot) net [email concealed]>
>To: bugtraq (at) securityfocus (dot) com [email concealed]
>Subject: Re: CuteFTP 5.0 XP, Buffer Overflow
>In-Reply-To: <BAY2-F14x4qfU1gqs600002752f (at) hotmail (dot) com [email concealed]>
>References: <BAY2-F14x4qfU1gqs600002752f (at) hotmail (dot) com [email concealed]>
>MIME-Version: 1.0
>Content-Type: text/plain; charset=US-ASCII
>Content-Transfer-Encoding: 7bit
>X-Mailer: Becky! ver 1.26.09
>
>
>Cute FTP 5.0 XP, build 51.1.23.1 was released, but it is still
>vulnerable against the same issue.
>
>Sending 780 bytes( in previous build, it was 257 bytes ) as a reply to
>LIST command cause a stack overflow.
>
># BTW, I found another buffer overflow problem. Copy long url like
># "ftp://AAAAAAAAAAA....AAAAAAAAAAA/"
># to clipboard and execute CuteFTP. It will crash immediately.
># Seems like a bug, not a security hole.
>
>--
>Kanatoko<anvil (at) jumperz (dot) net [email concealed]>
>http://www.jumperz.net/
>irc.friend.td.nu:6667 #ouroboros
>
>
>
>On Sat, 18 Jan 2003 06:25:31 +0000
>"Lance Fitz-Herbert" <fitzies (at) hotmail (dot) com [email concealed]> wrote:
>
>> Advisory 07:
>> ------------
>> Buffer Overflow In CuteFTP 5.0 XP
>>
>>
>> Discovered:
>> -----------
>> By Me, Lance Fitz-Herbert (aka phrizer).
>> September 4th, 2002
>>
>>
>> Vulnerable Applications:
>> ------------------------
>> Tested On CuteFTP 5.0 XP, build 50.6.10.2
>> Others could be vulnerable...
>>
>>
>> Impact:
>> -------
>> Medium,
>> This could allow arbitary code to be executed on the remote victims
machine,
>> if the attacker is
>> successfull in luring a victim onto his server.
>>
>>
>> Details:
>> --------
>> When a FTP Server is responding to a "LIST" (directory listing)
command, the
>> response is sent
>> over a data connection. Sending 257 bytes over this connection will
cause a
>> buffer to overflow,
>> and the EIP register can be overwritten completely by sending 260 bytes
of
>> data.
>>
>>
>> Vendor Status:
>> --------------
>> Contacted GlobalSCAPE Jan 14th 2003, After a couple of emails back and
forth
>> within a few days, they
>> confirmed the problem, and siad they are working on a release for
Monday
>> (20th Jan, 03) which will address
>> the issue.
>>
>>
>> Solution:
>> ---------
>> Upgrade to new version which should be avalible from Monday (20th Jan,
03).
>>
>>
>> Exploit:
>> --------
>> Not released.
>>
>>
>> Contacting Me:
>> --------------
>> ICQ: 23549284
>> IRC: irc.dal.net #KORP
>>
>>
>>
>> ----
>> NOTE: Because of the amount of spam i receive, i require all emails *to
me*
>> to contain the word "nospam" in the subject line somewhere. Else i
might not
>> get your email. thankyou.
>> ----
>>
>>
>>
>>
>>
>>
>> _________________________________________________________________
>> MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*
>> http://join.msn.com/?page=features/virus
>>
>>
>
>
[ reply ]