View Single Post
Old 05-09-2003, 04:37 PM  
bigstar
FlashFXP Developer
 
bigstar's Avatar
 
Join Date: Oct 2001
Posts: 8,012
Default **FIXED in v2.1 FINAL **[Security Issue Bug Report] FlashFXP Multiple Buffer Overflow

THIS HAS BEEN RESOLVED in FLASHFXP v2.1 FINAL

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings, FlashFXP Support Team.

I have found the Security Issue in your software, "FlashFXP 2.0 Build 905".
And I will report it here.

My english may not be good enough.

________________________________________

- ------------------------------------------------------------------
SUMMARY : FlashFXP Multiple Buffer Overflow Vulnerabilities
PRODUCT : FlashFXP
VERSION : 2.0 build 905
SEVERITY : Highest.
Code Execution.
DISCOVERED BY : nesumin <nesumin@softhome.net> [:: Operash ::]
REPORTED DATE : 2003/05/08
- ------------------------------------------------------------------

DESCRIPT:
===========

I have found two buffer overflow vulnerabilities in FlashFXP.

[1] HostName Buffer Overflow Vulnerability
[2] PASV Reply Buffer Overflow Vulnerability

These vulnerabilities are respectively Critical Security-Holes,
and can execute an arbitrary machine code as the privilege of
application process. These would allow the attacker to make
user's computer virus infected or system destructed, etc.


SYSTEMS AFFECTED:
===================

FlashFXP 2.0 build 905

and may be previous versions.


SYSTEMS NOT AFFECTED:
=======================

- ----


EXAMINES:
===========

FlashFXP 2.0 build 905 Windows 98SE JP
FlashFXP 2.0 build 905 Windows 2000 Professional SP3 JP


DETAILS:
===========

[1] HostName Buffer Overflow Vulnerability

Buffer overflow occurs in dealing with a HostName.
It occurs by copying the URL that has long HostName
if "ClipBoard Monitor" is enabled.
Over 0x90 bytes.

Example:
ftp://AAAAAAAAAAAAAA ... over 0x90 bytes ... /


This vulnerability can overwrite SEH records on the stack,
and can execute an arbitrary code by exploiting it.


------------------------------------------------------------------

[2] PASV Reply Buffer Overflow Vulnerability

Buffer overflow occurs in parsing PASV Reply from FTP Server.
It occurs by a long address data, over 0x90 bytes.

Example:
227 (AAAAAAAAAAAAAA ... over 0x90 bytes ... ,1,1,1,1,1)


This vulnerability can overwrite SEH records on the stack,
and can execute an arbitrary code by exploiting it.


___________________________________________

[End of Report]


I strongly recommend that you should fix these issue immediately
and announce correctly the information to users, then urge them
update the software.

And I am going to publish these issue's information to the Mailing List
"Bugtraq@securityfocus.com" and WEB Site etc after 2 weeks.


Best Regards,
nesumin <nesumin@softhome.net> [:: Operash ::]



-----BEGIN PGP SIGNATURE-----
Version: PGPB2 version 0.01.6 (beta 13)

iQA/AwUBPrlgx720j06h6p3lEQIORgCgmFNsjHE9h5mlt21rVPFLer NGRlsAoLKR
kMbXfHRDphiKZ7ewO4++LfUC
=C6rl
-----END PGP SIGNATURE-----
bigstar is offline