You are on page 1of 6

FlashFXP v4.1.8.

1701 - Buffer Overflow Vulnerability From: "research () vulnerab ility-lab com" <research () vulnerability-lab com> Date: Thu, 01 Mar 2012 18:17:59 +0100 Title: ====== FlashFXP v4.1.8.1701 - Buffer Overflow Vulnerability Date: ===== 2012-03-01 References: =========== http://www.vulnerability-lab.com/get_content.php?id=462 VL-ID: ===== 462 Introduction: ============= FlashFXP is a FTP (File Transfer Protocol) client for Windows, it offers you eas y and fast ways to transfer any file between other local computers (LAN - Local Area Network) running a FTP server or via the Internet (W AN - Wide Area Network) and even directly between two servers using Site to Site transfers (FXP - File eXchange Protocol). Use FlashFX P to publish and maintain your website, Upload and download documents, photos, videos, music and more! Share your files with your friends an d co-workers using the powerful site manager. There are many features and advanced options available within FlashFXP which are being added wi th the release of each new version stable or beta*. The software is available in over 20 languages and under active development. FlashFXP offers high security, performance, and reliability that you can always depend on to get your job done swiftly and efficiently. (Copy of the Vendor Homepage: http://www.flashfxp.com) Abstract: ========= The Vulnerability Laboratory Research Team discovered a Buffer Overflow Vulnerab ility on FlashFXP v4.1.8.1701. Report-Timeline: ================ 2012-02-27: Vendor Notification 2012-02-28: Vendor Response/Feedback 2012-03-01: Public or Non-Public Disclosure

Status: ======== Published Affected Products: ================== OpenSight Software Product: FlashFXP Software Client v4.1.8.1701 Exploitation-Technique: ======================= Local Severity: ========= High Details: ======== A Buffer Overflow Vulnerability is detected on FlashFXPs Software Client v4.1.8. 1701. The vulnerability is located when processing to force a ListIndex Out of Bound(s) exception which all ows to overwrite ecx & eip of the affected software process. Successful exploitation can result in process compromise, execution of arbitrary code, system compromise or escaltions with privileges of affected vuln erable software process. The flaw is a direct result of a fixed length buffer being used in the TListBox control and the lack of range checking. The code assumes that the string returned by the listbox control will be less than 4097 characters. It uses a fixed size buffer of 4096 bytes and any tex t longer than this will overflow and overwrite the memory beyond it. The TComboBox control also suf fers a similar flaw. Vulnerable Module(s): [+] List Index & Exception Handl ing [TListBox] Picture(s): ../1.png ../2.png ../3.png ../4.png ../5.png Proof of Concept: ================= The vulnerability can be exploited by local & remote attackers. For demonstratio n or reproduce ...

Manually reproduce ... 1. Download & open the software client 2. Connect to a random server for inter action 3. Enable the Option Settings => Filters => Skip-List 3. Open the Option => Filter Settings 4. Add a new (Skip-List)one by Including a large unicode string & wait for the e xception-handling 5. The exception-handling out of bounds comes up 6. You pass it 2 times by clicking continue ... 7. The software is now crashing with a stable bex exception & displays input as offset[6] 8. Now you can overwrite the ecx & eip of the affected vulnerable software proce ss to exploit the client system Note: To exploit the bug (remote) an attacker needs to know the included filters of the connected client to send large strings. --- Exception Error date/time : computer name : user name : operating system : system language : system up time : program up time : processors : physical memory : free disk space : display mode : process id : allocated memory : executable : exec. date/time : executable hash : version : ANSI code page : callstack crc : exception number : exception class : exception message : --- Exception Error date/time : computer name : user name : operating system : system language : system up time : program up time : processors : physical memory : free disk space : display mode : process id : allocated memory : executable : #1 --2012-02-28, 16:38:58, 531ms HOSTBUSTER Rem0ve Windows 7 Tablet PC x64 Service Pack 1 build 7601 German 5 days 13 hours 7 minutes 2 seconds 2x Intel(R) Core(TM)2 Duo CPU T6600 @ 2.20GHz 2243/4091 MB (free/total) (C:) 207,54 GB 1366x768, 32 bit $16fc 50,75 MB FlashFXP.exe 2012-01-15 22:45 34A53BD60479975EA6DAAB55B8D878B4 4.1.8.1701 1252 $1083d124, $c40af1d7, $90cfaf70 1 EStringListError List index out of bounds (0). #2 --2012-02-28, 16:39:57, 530ms HOSTBUSTER Rem0ve Windows 7 Tablet PC x64 Service Pack 1 build 7601 German 5 days 13 hours 8 minutes 2x Intel(R) Core(TM)2 Duo CPU T6600 @ 2.20GHz 2220/4091 MB (free/total) (C:) 207,54 GB 1366x768, 32 bit $16fc 66,67 MB FlashFXP.exe

exec. date/time executable hash version ANSI code page callstack crc exception number exception class exception message

: : : : : : : :

2012-01-15 22:45 34A53BD60479975EA6DAAB55B8D878B4 4.1.8.1701 1252 $b94d6925, $57f8c46d, $8f2c6734 2 EStringListError List index out of bounds (0).

--- Exception BEX #3 (Overwrite) --Version=1 EventType=BEX EventTime=129749175156198070 ReportType=2 Consent=1 ReportIdentifier=34b76897-6223-11e1-afbd-c4a714168486 IntegratorReportIdentifier=34b76896-6223-11e1-afbd-c4a714168486 WOW64=1 Response.type=4 Sig[0].Name=Anwendungsname Sig[0].Value=FlashFXP.exe Sig[1].Name=Anwendungsversion Sig[1].Value=4.1.8.1701 Sig[2].Name=Anwendungszeitstempel Sig[2].Value=2a425e19 Sig[3].Name=Fehlermodulname Sig[3].Value=StackHash_e98d Sig[4].Name=Fehlermodulversion Sig[4].Value=0.0.0.0 Sig[5].Name=Fehlermodulzeitstempel Sig[5].Value=00000000 Sig[6].Name=Ausnahmeoffset Sig[6].Value=41414141 <= ECX | EIP Sig[7].Name=Ausnahmecode Sig[7].Value=c0000005 Sig[8].Name=Ausnahmedaten Sig[8].Value=00000008 DynamicSig[1].Name=Betriebsystemversion DynamicSig[1].Value=6.1.7601.2.1.0.768.3 DynamicSig[2].Name=Gebietsschema-ID DynamicSig[2].Value=1031 DynamicSig[22].Name=Zusatzinformation 1 DynamicSig[22].Value=e98d DynamicSig[23].Name=Zusatzinformation 2 DynamicSig[23].Value=e98dfca8bcf81bc1740adb135579ad53 DynamicSig[24].Name=Zusatzinformation 3 DynamicSig[24].Value=6eab DynamicSig[25].Name=Zusatzinformation 4 DynamicSig[25].Value=6eabdd9e0dc94904be3b39a1c0583635 UI[2]=C:\Program Files (x86)\FlashFXP 4\FlashFXP.exe UI[3]=FlashFXP funktioniert nicht mehr UI[4]=Windows kann online nach einer Lsung fr das Problem suchen. UI[5]=Online nach einer Lsung suchen und das Programm schlie en UI[6]=Spter online nach einer Lsung suchen und das Programm schlie en UI[7]=Programm schlie en ... FriendlyEventName=Nicht mehr funktionsfhig ConsentKey=BEX AppName=FlashFXP

AppPath=C:\Program Files (x86)\FlashFXP 4\FlashFXP.exe Reference(s): ../AppCrash_FlashFXP.exe_cb63a668207dbeae0f33144dffb1e66 eae843_0a310ac0 ../AppCrash_FlashFXP.exe_cb63a668207dbeae0f33144dffb1e66 eae843_07c4b531 ../bugreport1.txt ../bugreport2.txt ../video-poc-demo.wmv Risk: ===== The security risk of the buffer overflow vulnerability is estimated as high(-). Credits: ======== Vulnerability Research Laboratory - Benjamin Kunz Mejri Disclaimer: =========== The information provided in this advisory is provided as it is without any warra nty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and cap ability for a particular purpose. VulnerabilityLab or its suppliers are not liable in any case of damage, including direct, ind irect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential o r incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from VulnerabilityLab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright 2012|Vulnerability-Lab

-Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: admin () vulnerability-lab com or support () vulnerability-lab com _______________________________________________ Full-Disclosure - We believe in it.

Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

You might also like