Objectives About Us Sponsors News Past Events Contact Us
Login G-TEC CC Mirror Forums Links

 

 

SIG^2 Vulnerability Research Advisory

Buffer overflow in SapporoWorks BlackJumboDog FTP server

by Tan Chew Keong
Release Date: 29 July 2004
Japanese Version

Summary

SapporoWorks BlackJumboDog is an integrated open-source proxy server, web server and FTP server developed by SapporoWorks for Microsoft Windows platforms. BlackJumboDog version 3.6.1 is vulnerable to a buffer overflow in its FTP server. By sending a specially crafted FTP request containing an overly long parameter string in the USER, PASS, RETR, CWD, XMKD, XRMD or various other commands, a remote attacker could cause a stack overflow and execute arbitrary code.

 
Tested System

BlackJumboDog Version 3.6.1 on English Win2K SP4

 
Details

This vulnerability is caused by an unsafe strcpy() that copies the entire parameter of the user's FTP command to a stack buffer of 256 bytes. For example, suppose that the user's FTP client issues the following command.

USER xxxxxxxxxxxx

The command parameter "xxxxxxxxxxxx" will be copied to a 256 bytes buffer using strcpy(). Hence, by crafting an FTP command with an overly long parameter, a remote attacker could trigger a stack overflow and execute arbitrary code. The attacker do not need to have a valid account on the FTP server since the overflow can be triggered prior to authentication using the USER command. The following Ollydbg screen capture shows that the EIP was overwritten when an overly long directory-name was supplied with the "cd" (CWD) command.

 
The unsafe strcpy() is contained within the following code segment from TFtp.cpp of BlackJumboDog's source. 

        if(NULL==(p = strchr(SocketBuf,' '))){
		Param[0]='\0';
	}else{
		while(*p==' ')
			p++;
            	strcpy(Param,p);
	}

In this code, SocketBuf holds the received FTP command (USER, PASS, CWD, etc), together with its parameter. Param is a char buffer of only 256 bytes, whereas SocketBuf can hold up to 30000 bytes. An unsafe strcpy() results in an overflow when the command parameter copied from SocketBuf is more than 256 bytes.

 
POC Exploit

This is the Proof-of-concept exploit code that was used to validate the vulnerability. It was publicly released shortly after a working exploit was released by SecuriTeam Experts.

Proof-of-concept bindshell exploit code can be downloaded here.

 
Source Code Fix

This following fix to the source code prevents the overflow from occuring if the command parameter is too long. 

        if(NULL==(p = strchr(SocketBuf,' '))){
                Param[0]='\0';
        }else{
                while(*p==' ')
			p++;
		if(strlen(p) >= PARAM_STR_MAX)
			goto end;
            	strcpy(Param,p);
        }

 
Patch

Author has fixed the bug in version 3.6.2. Users are advised to upgrade to the fixed version.

 
Disclosure Timeline

26 Jul 04 - Vulnerability Discovered
27 Jul 04 - Initial Author Notification
28 Jul 04 - Author Replied with Fix (upgrade to version 3.6.2)
29 Jul 04 - Public Release

 

Contacts

For further questions and enquries, email them to the following.

Overall-in-charge: Tan Chew Keong


Updated: 5/8/2004
webmaster@security.org.sg