NicoFTP 缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1196427 漏洞类型 缓冲区溢出
发布时间 2006-01-06 更新时间 2006-01-06
CVE编号 CVE-2006-0100 CNNVD-ID CNNVD-200601-043
漏洞平台 N/A CVSS评分 4.6
|漏洞来源
https://www.securityfocus.com/bid/86959
https://cxsecurity.com/issue/WLB-2006010007
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200601-043
|漏洞详情
NicoFTP3.0.1.19及更早版本中的缓冲区溢出,可能让本地用户通过FTP帐户的"站点名称"字段中的长字符串执行任意代码。注意:因为此程序是以调用用户的特权执行的,且远程程序通常无法创建或修改此程序中的FTP帐户,此问题可能没有跨越特权边界的典型攻击矢量。因此,这可能不是漏洞。
|漏洞EXP
/* 
 * Name: NicoFTP Stack Overflow
 * Version: 3.0.1.19
 * Developer: NicoSW
 * Developer site: www.nicosw.com (Offline)
 * Developer contact: nicoftp[at]nicosw[dot]com
 * Discovered by: K4P0 <k4p0k4p0[at]hotmail[dot]com>
 * Founded: 12/29/2005 (MM/DD/YYYY)
 * Published: 01/01/2006 (MM/DD/YYYY)
 */

-- Intro

NicoFTP is a Freeware, ligth, simple and fast FTP client program. This bug affects this software on version 3.0.1.19 and erlier ones.

-- Bug

A simple stack overflow.

-- Fix

It isn't an open-source software, but it could be fixed by checking the length of the personalizable name of the FTP site before storing it into memory.

-- Exploit

A new FTP (or modify) account must be created; when filling the 'Name of site' , write 4101 random characters, then write 4 characters more that will produce the Stack Overflow by trying to access to that address.
It's a better idea to modify the 'Name' value through the Sites.conf.(The 'Name' field it's located between [ ]).

I didn't have success by trying to make the exploit, because it executes many instructions using registers that are also overwrited, so when it trys to read the address form the registers (precisely eax & ebx) it goes to a nonexisten address, such as 0x41414141.
I tryed to modify the addresses where the registers pointed at, but it's almost impossible.

As a proof of concept you can try to write a string in the corresponding field taking care how many characters you write; if you wanna try, follow the above instructions.
You can find a string I made in : www.usuarios.lycos.es/altohack/adv/NicoFTPProof.txt
|受影响的产品
Nicosw Nicoftp 3.0.1.19
|参考资料

来源:BUGTRAQ
名称:20060102NicoFTPStackOverflow
链接:http://www.securityfocus.com/archive/1/archive/1/420670/100/0/threaded
来源:SREASON
名称:317
链接:http://securityreason.com/securityalert/317