| SurgeFtp Server BufferOverflow Vulnerability|

Summary

SurgeFTP Server has a buffer overflow vulnerability which effects
denial of service or potential remote code execution.

CVE number: CVE-2013-4742
Impact: High

Vendor homepage:
http://netwinsite.com/cgi-bin/keycgi.exe?cmd=download&product=surgeftp

Vendor notified: 22/05/2013

Vendor fixed: 30/05/2013

Affected Products

SurgeFTP Server 23c8 and older linux versions.

Details

The bug was triggered during authentication of ftp service .The root
cause of the problem is processing a very long line with no 'crlf' ,
resulting in a memmove operation past the end of a buffer, and that
would turn in corruption in a random way on heap or stack.Unless the
injection vector effect is not so stable ,one of the possibility of
code execution is "vfprint" function which you can exploit by calling
a next library function that exists and writable on GOT entry . The
following you can see EIP can be owned by ECX+0x1c address. Software
was complied with NX and code execution can be done by using ROP.

Gnu debugger enabled with pead output=>

EAX: 0x3b93b70 ("22 13:15:14.00: <– ", 'F' <repeats 80 times>, "\n")
EBX: 0x353ff4 –> 0xb4cd7c
ECX: 0x54545454 ('AAAA')
EDX: 0x65 ('e')
ESI: 0xb7611700 ('C' <repeats 72 times>, "T\333q\003", 'T' <repeats
124 times>…)
EDI: 0x1
EBP: 0x3b95c34 –> 0x3b961f8 –> 0x3b96218 –> 0x3b96e18 –> 0x3b97df8
–> 0x3b99258 –> 0x3b99698 –> 0x3b9a2e8 –> 0x3b9a338 –> 0x3b9a388
–> 0x3b9a498 –> 0x0
ESP: 0x3b93b54 –> 0xb7611700 ('C' <repeats 72 times>, "T\333q\003",
'T' <repeats 124 times>…)
EIP: 0x206f15 (<buffered_vfprintf+277>: call DWORD PTR [ecx+0x1c])

Impact

DoS or RCE

Solution

Upgrade to SurgeFTP 23d2.

Twitter @pazwant