Cerebrus FTP server 3.0 crash bug

Think you've found a bug? Post a description here.

Moderator: Serin

Post Reply
strace
New User
Posts: 3
Joined: Wed Aug 12, 2009 1:01 am

Cerebrus FTP server 3.0 crash bug

Post by strace » Wed Aug 12, 2009 1:26 am

Reporting a security issue. Version 3.0 can be crashed by sending an FTP command longer than 1400 bytes. Its not clear to me if this vulnerability is exploitable in any way that would allow code execution, but an attacker can crash the FTP server.

CWD AAAAAA ... [1400+ bytes]

Note, I was able to crash the server with any command that is a valid command with an argument of 1400+ bytes. When it crashes the application kicks out an exception code of c0000417, STATUS_INVALID_CRUNTIME_PARAMETER. I also tested with string sizes 200, 500, 700, but the crash only occurs when the string length is equal to or greater than 1400 bytes.

Problem signature:
Problem Event Name: BEX
Application Name: CerberusGUI.exe
Application Version: 3.0.1.0
Application Timestamp: 4a726319
Fault Module Name: MSVCR90.dll
Fault Module Version: 9.0.30729.4148
Fault Module Timestamp: 4a594c79
Exception Offset: 000375b4
Exception Code: c0000417
Exception Data: 00000000
OS Version: 6.0.6001.2.1.0.256.1
Locale ID: 1033
Additional Information 1: 5279
Additional Information 2: 89d8199162307e605d4bbbed7bae4368
Additional Information 3: 01c5
Additional Information 4: 13926f9fb65e55e70738bba3548c7666


strace@gmail.com

Using Cerebrus FTP server 3.0 Professional
Build date: 2009/07/30

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Re: Cerebrus FTP server 3.0 crash bug

Post by Serin » Wed Aug 12, 2009 11:04 pm

Hello strace,

I will check out the report and post a fix if necessary. The bug shouldn't be exploitable as I use all secure C runtime functions for parsing (thus the CRUNTIME notice). Of course, using the secure C runtime isn't a guarantee of safety but I will look into the issue and patch it immediately if I can duplicate it.

If you discover any additional issues I would appreciate you emailing me first to give me a chance to examine and patch any potential security vulnerabilities.

Thanks,

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Re: Cerebrus FTP server 3.0 crash bug

Post by Serin » Wed Aug 12, 2009 11:15 pm

Confirmed the problem. There is no potential for a buffer overflow. The code checks properly for size before trying to use the buffer. Unfortunately, I have CRT set to terminate the program if a string longer than the buffer is passed in.

Thanks for the bug report. I have a fix ready and I will hopefully be able to get it out sometime tomorrow.

strace
New User
Posts: 3
Joined: Wed Aug 12, 2009 1:01 am

Re: Cerebrus FTP server 3.0 crash bug

Post by strace » Thu Aug 13, 2009 2:25 pm

Excellent. Glad to have helped out.

-strace

strace
New User
Posts: 3
Joined: Wed Aug 12, 2009 1:01 am

Re: Cerebrus FTP server 3.0 crash bug

Post by strace » Mon Sep 14, 2009 12:47 pm

Grant,

I wanted to see if a fix were in place for this yet. Once you can confirm a fix I am going to send out a report to bugtraq/full_disclosure mailing lists. This bug has been assigned CVE-2009-2763. Additionally, its also tentatively classified as an instance of CWE-755 Improper Handling of Exceptional Conditions.
While I have shared details about the vulnerability with members of the CVE & CWE teams, aside from this forum all details remain non-public. Once a fix is confirmed I will send out a notice to the security lists.

Thanks

-strace
Tom Stracener

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Re: Cerebrus FTP server 3.0 crash bug

Post by Serin » Mon Sep 14, 2009 12:53 pm

Hello,

Yes, version 3.0.2 fixed the problem and several security sites picked up our change log and have posted details on the vulnerability. Most have listed it as a "Denial of Service Vulnerability".

Post Reply