Re: [Full-disclosure] Re: LeapFTP .lsq Buffer Overflow Vulnerability

[Paul Farrow <augm58@xxxxxxxxxxxxx>]

However if you can successfully create a working exploit to execute 
arbitray code, simple calling the file something like

topsiteSVCDqueue.lsq  and sticking it on some p2p networks... could 
probably score yourself a few hits.

... not that im suggesting anyone try this... that would just be wrong.

Kaveh Razavi wrote:

> it is not a high risk vulnerability .
> chance of making an stable exploit in a unicode
> overflow is low .
> Regards
>
> c0d3r of IHS
> Network Security Reseacher
>
>  
>
> > LeapFTP .lsq Buffer Overflow Vulnerability
> >
> > by Sowhat
> >
> > Last Update:2005.08.24
> >
> > http://secway.org/advisory/AD20050824.txt
> >
> > Vendor:
> >
> > LeapWare Inc.
> >
> > Product Affected:
> >
> > LeapFTP < 2.7.6.612
> >
> > Overview:
> >
> > LeapFTP is the award-winning shareware FTP client
> > that combines an 
> > intuitive interface with one of the most powerful
> > client bases around. 
> >
> >
> > Details:
> >
> > .LSQ is the LeapFTP Site Queue file, And it is
> > registered with Windows
> > by LeapFTP. You can save a transfer Queue to .lsq
> > files and transfer it
> > later by opening the .lsq files. 
> >
> > However, LeapFTP does not properly check the length
> > of the "Host" fields,
> > when a overly long string is supplied, there will be
> > a buffer overflow
> > and probably arbitrary code execution.
> >
> > This vulnerability can be exploited by sending the
> > malformed .lsq file
> > to the victim, after the victim open the .lsq file,
> > arbitray code may
> > executed.
> >
> >
> > //bof.lsq
> >
> > [HOSTINFO]
> > HOST=AAAAA...[ long string ]...AAAAA
> > USER=username
> > PASS=password
> >
> > [FILES]
> > "1","/winis/ApiList.zip","477,839","E:\ApiList.zip"
> >
> > SOLUTION:
> >
> > All users are encouraged to upgrade to 2.7.6
> > immediately
> > Vendor also released an advisory:
> > http://www.leapware.com/security/2005082301.txt
> >
> > Vendor Response:
> >
> > 2005.08.22 Vendor notified via online WebForm 
> > 2005.08.23 Vendor responsed and bug fixed
> > 2005.08.24 Vendor released the new version 2.7.6.612
> > 2005.08.24 Advisory Released
> >
> >    
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/