- This topic is empty.
August 12, 2009 at 5:26 am #29883
Reporting a security issue. Version 3.0 can be crashed by sending an FTP command longer than 1400 bytes. Its not clear to me if this vulnerability is exploitable in any way that would allow code execution, but an attacker can crash the FTP server.
CWD AAAAAA … [1400+ bytes]
Note, I was able to crash the server with any command that is a valid command with an argument of 1400+ bytes. When it crashes the application kicks out an exception code of c0000417, STATUS_INVALID_CRUNTIME_PARAMETER. I also tested with string sizes 200, 500, 700, but the crash only occurs when the string length is equal to or greater than 1400 bytes.
Problem Event Name: BEX
Application Name: CerberusGUI.exe
Application Version: 220.127.116.11
Application Timestamp: 4a726319
Fault Module Name: MSVCR90.dll
Fault Module Version: 9.0.30729.4148
Fault Module Timestamp: 4a594c79
Exception Offset: 000375b4
Exception Code: c0000417
Exception Data: 00000000
OS Version: 6.0.6001.2.1.0.256.1
Locale ID: 1033
Additional Information 1: 5279
Additional Information 2: 89d8199162307e605d4bbbed7bae4368
Additional Information 3: 01c5
Additional Information 4: 13926f9fb65e55e70738bba3548c7666
Using Cerebrus FTP server 3.0 Professional
Build date: 2009/07/30August 13, 2009 at 3:04 am #35244
I will check out the report and post a fix if necessary. The bug shouldn’t be exploitable as I use all secure C runtime functions for parsing (thus the CRUNTIME notice). Of course, using the secure C runtime isn’t a guarantee of safety but I will look into the issue and patch it immediately if I can duplicate it.
If you discover any additional issues I would appreciate you emailing me first to give me a chance to examine and patch any potential security vulnerabilities.
Thanks,August 13, 2009 at 3:15 am #35245
Confirmed the problem. There is no potential for a buffer overflow. The code checks properly for size before trying to use the buffer. Unfortunately, I have CRT set to terminate the program if a string longer than the buffer is passed in.
Thanks for the bug report. I have a fix ready and I will hopefully be able to get it out sometime tomorrow.August 13, 2009 at 6:25 pm #35246
Excellent. Glad to have helped out.
-straceSeptember 14, 2009 at 4:47 pm #35247
I wanted to see if a fix were in place for this yet. Once you can confirm a fix I am going to send out a report to bugtraq/full_disclosure mailing lists. This bug has been assigned CVE-2009-2763. Additionally, its also tentatively classified as an instance of CWE-755 Improper Handling of Exceptional Conditions.
While I have shared details about the vulnerability with members of the CVE & CWE teams, aside from this forum all details remain non-public. Once a fix is confirmed I will send out a notice to the security lists.
Tom StracenerSeptember 14, 2009 at 4:53 pm #35248
Yes, version 3.0.2 fixed the problem and several security sites picked up our change log and have posted details on the vulnerability. Most have listed it as a “Denial of Service Vulnerability”.
- You must be logged in to reply to this topic.