In-Reply-To: <20030908202530.24144.qmail@sf-www1-symnsj.securityfocus.com> The heap overflow bug has been fixed. The new FTP Desktop version is now available for downloading from http://www.ftpdesktop.net/download.html >Received: (qmail 27051 invoked from network); 8 Sep 2003 20:49:01 -0000 >Received: from outgoing3.securityfocus.com (205.206.231.27) > by mail.securityfocus.com with SMTP; 8 Sep 2003 20:49:01 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) > by outgoing3.securityfocus.com (Postfix) with QMQP > id 90883A30EE; Mon, 8 Sep 2003 14:53:45 -0600 (MDT) >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >Precedence: bulk >List-Id: <bugtraq.list-id.securityfocus.com> >List-Post: <mailto:bugtraq@securityfocus.com> >List-Help: <mailto:bugtraq-help@securityfocus.com> >List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com> >List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com> >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Received: (qmail 8052 invoked from network); 8 Sep 2003 14:26:31 -0000 >Date: 8 Sep 2003 20:25:30 -0000 >Message-ID: <20030908202530.24144.qmail@sf-www1-symnsj.securityfocus.com> >Content-Type: text/plain >Content-Disposition: inline >Content-Transfer-Encoding: binary >MIME-Version: 1.0 >X-Mailer: MIME-tools 5.411 (Entity 5.404) >From: Bahaa Naamneh <b_naamneh@hotmail.com> >To: bugtraq@securityfocus.com >Subject: Multiple Heap Overflows in FTP Desktop > > > >Multiple Heap Overflows in FTP Desktop > > >Introduction: >============= >"FTP Desktop lets you access FTP sites as if they were folders on your >computer. >Now you can move your files between your hard disk and remote FTP sites >with greater ease." >- Vendors Description > [ http://www.ftpdesktop.com ] > >Note: >FTP Desktop is fully integrated into Windows Explorer, so the actual >module >at fault appears as 'explorer.exe'. > > >Details: >======== >Vulnerable systems: FTP Desktop version 3.5 (and possibly earlier >versions). > >Vulnerability: It is possible to cause a Heap overflow in FTP Desktop, >allowing total modification of the EIP pointer - this can be maliciously >altered to allow remote arbitrary code execution. The overflow occurs in >the FTP banner and others areas as it shown here: > >FTP Banner: >----------- >(FTP Desktop connected...) > PADDING EBP EIP >220 [229xA][4xB][4xX] >(Access violation when executing 0x58585858) // 4xX > >Username: >--------- >(FTP Desktop Sends 'USER username') > PADDING EBP EIP >331 [229xA][4xB][4xX] >(Access violation when executing 0x58585858) // 4xX > >Password: >--------- >(FTP Desktop Sends 'PASS password') > PADDING EBP EIP >331 [229xA][4xB][4xX] >(Access violation when executing 0x58585858) // 4xX > > >Vendor status: >============== >The vendor has been informed, and they are fixing this bug. >The updated version, when released, can be downloaded from: > >http://www.ftpdesktop.net/download.html >[ http://www.ftpdesktop.net/download/ftpsetup.exe ] > > >Exploit: >======== >http://www.elitehaven.net/ftpdesktop.zip > >(I would thank Peter Winter-Smith for helping me in the exploitation) > > >Discovered by/Credit: >===================== >Bahaa Naamneh >b_naamneh@hotmail.com >
