lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 09 Jun 2003 12:19:41 +0900
From: ":: Operash ::" <nesumin@...thome.net>
To: bugtraq@...urityfocus.com
Subject: [FTP Voyager] File List Buffer Overflow Vulnerability



-----------------------------------------------------------------------
SUMMARY        : [FTP Voyager] File List Buffer Overflow Vulnerability
PRODUCT        : FTP Voyager
VERSIONS       : 9.1.0.3
                 10.0.0.0
VENDOR         : Rhino Software (http://www.rhinosoft.com/)
SEVERITY       : Critical.
                 Code Execution.
DISCOVERED BY  : nesumin
AUTHOR         : :: Operash ::
REPORTED DATE  : 2003-05-07
RELEASED DATE  : 2003-06-09
-----------------------------------------------------------------------

0. PRODUCTS
=============

  FTP Voyager is a GUI base FTP Client for Windows.
  Rhino Software (http://www.rhinosoft.com/)


1. DESCRIPTION
================

  The buffer overflow occurs on the stack area if a file list that
  contains a long line is returned from a server.
  By exploiting this vulnerability, an attacker can execute an arbitrary
  code on a user's system if the user connects to a malicious server.

  With this vulnerability, there could be following risks;

  * Infection with Virus or Trojan, etc.
  * Destruction of the system.
  * Leak or alteration of the local data.


2. SYSTEMS AFFECTED
=====================

  FTP Voyager  9.1.0.3
  FTP Voyager 10.0.0.0

  And previous versions may have same vulnerabilities.


3. SYSTEMS NOT AFFECTED
=========================

  FTP Voyager 10.0.0.1


4. EXAMINES
=============

  Tested versions :
    FTP Voyager  9.1.0.3
    FTP Voyager 10.0.0.0
    FTP Voyager 10.0.0.1

  Tested platforms :
    Windows 98SE Japanese
    Windows 2000 Professional SP3 Japanese


5. VENDOR STATUS
==================

  2003-05-23  Vendor released fixed-version (10.0.0.1).


6. SOLUTION
=============

  Upgrade to version 10.0.0.1  or later version.


7. TECHNICAL DETAILS
======================

  FTP Voyager requests a file list to a server using "LIST" command
  or etc when it's connected to the server.
  And then, if the returned file list (except the filename, including
  file extensions) contains, the buffer overflow would occur on
  the stack area.

  Example:

    -r-xr-xr-x 1 owner group AAAAA...(over 0x270 bytes)... Feb 1 00:00 Filename.ext

  If a saved Structured Exception Handler is overwritten with
  the address of buffer that has an arbitrary code or the address
  of instruction data that redirects to there, the processing path
  moves to that buffer.

  Therefore, it is able to execute an arbitrary code as the privilege
  of FTP Voyager process.

  Each offsets of the Structured Exception Handler are different from
  others by a part of the list.


8. SAMPLE CODE
================

  None release.


9. TIME TABLE
===============

  2003-04-20  Discovered this vulnerability.
  2003-05-07  Reported to vendor.
  2003-05-07  Received a reply from vendor.
  2003-05-08  Received a fixed-version(1) from vendor.
  2003-05-08  Found a problem still left, reported it to vendor.
  2003-05-09  Received a fixed-version(2) from vendor.
  2003-05-09  Conveyed to vendor that the fix has been done.
  2003-05-23  Vendor released fixed-version.
  2003-06-09  Released this advisory.


10. DISCLAIMER
===============

  A. We cannot guarantee the accuracy of all statements in this information.
  B. We do not anticipate issuing updated versions of this information
     unless there is some material change in the facts.
  C. And we will take no responsibility for any kinds of disadvantages by
     using this information.
  D. You can quote this advisory without our permission if you keep the following;
     a. Do not distort this advisory's content.
     b. A quoted place should be a medium on the Internet.
  E. If you have any questions, please contact to us.


  * Exception

     We strictly forbid 'Secunia' (http://www.secunia.com/) to republish or
     redistribute our advisory.


11. CONTACT, ETC
=================

  :: Operash ::

  imagine (Operash Webmaster)
  nesumin <nesumin@...thome.net>


  Thanks to :

    melorin
    piso(sexy)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ