Cerebrus FTP server 3.0 crash bug

Home Forums General Report a Bug Cerebrus FTP server 3.0 crash bug

  • This topic is empty.
Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #29883
    strace
    Participant

    Reporting a security issue. Version 3.0 can be crashed by sending an FTP command longer than 1400 bytes. Its not clear to me if this vulnerability is exploitable in any way that would allow code execution, but an attacker can crash the FTP server.

    CWD AAAAAA … [1400+ bytes]

    Note, I was able to crash the server with any command that is a valid command with an argument of 1400+ bytes. When it crashes the application kicks out an exception code of c0000417, STATUS_INVALID_CRUNTIME_PARAMETER. I also tested with string sizes 200, 500, 700, but the crash only occurs when the string length is equal to or greater than 1400 bytes.

    Problem signature:

    Problem Event Name: BEX

    Application Name: CerberusGUI.exe

    Application Version: 3.0.1.0

    Application Timestamp: 4a726319

    Fault Module Name: MSVCR90.dll

    Fault Module Version: 9.0.30729.4148

    Fault Module Timestamp: 4a594c79

    Exception Offset: 000375b4

    Exception Code: c0000417

    Exception Data: 00000000

    OS Version: 6.0.6001.2.1.0.256.1

    Locale ID: 1033

    Additional Information 1: 5279

    Additional Information 2: 89d8199162307e605d4bbbed7bae4368

    Additional Information 3: 01c5

    Additional Information 4: 13926f9fb65e55e70738bba3548c7666

    strace@gmail.com

    Using Cerebrus FTP server 3.0 Professional

    Build date: 2009/07/30

    #35244
    imported_Serin
    Participant

    Hello strace,

    I will check out the report and post a fix if necessary. The bug shouldn’t be exploitable as I use all secure C runtime functions for parsing (thus the CRUNTIME notice). Of course, using the secure C runtime isn’t a guarantee of safety but I will look into the issue and patch it immediately if I can duplicate it.

    If you discover any additional issues I would appreciate you emailing me first to give me a chance to examine and patch any potential security vulnerabilities.

    Thanks,

    #35245
    imported_Serin
    Participant

    Confirmed the problem. There is no potential for a buffer overflow. The code checks properly for size before trying to use the buffer. Unfortunately, I have CRT set to terminate the program if a string longer than the buffer is passed in.

    Thanks for the bug report. I have a fix ready and I will hopefully be able to get it out sometime tomorrow.

    #35246
    strace
    Participant

    Excellent. Glad to have helped out.

    -strace

    #35247
    strace
    Participant

    Grant,

    I wanted to see if a fix were in place for this yet. Once you can confirm a fix I am going to send out a report to bugtraq/full_disclosure mailing lists. This bug has been assigned CVE-2009-2763. Additionally, its also tentatively classified as an instance of CWE-755 Improper Handling of Exceptional Conditions.

    While I have shared details about the vulnerability with members of the CVE & CWE teams, aside from this forum all details remain non-public. Once a fix is confirmed I will send out a notice to the security lists.

    Thanks

    -strace

    Tom Stracener

    #35248
    imported_Serin
    Participant

    Hello,

    Yes, version 3.0.2 fixed the problem and several security sites picked up our change log and have posted details on the vulnerability. Most have listed it as a “Denial of Service Vulnerability”.

Viewing 6 posts - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.
Close Cart

Shopping Cart