BlackMoon FTPd Buffer Overflow Vulnerability
by Nikola Strahija on January 16th, 2002 The BlackMoon FTP server is vulnerable to a buffer overflow condition. Due to the nature of these problems, this could lead to arbitrary code execution on a target machine.
More specifically, the buffer which handles the received data before
parsing it was incorrectly declared static in below code.
CBuffer::CBuffer(const char * data, int len, int capacity_inc)
{
bf_head = (char*)&staticBuf; //(char*)malloc(len * sizeof(char));
if(bf_head != NULL)
{
memcpy(bf_head,data,len);
bf_capacity = sizeof(staticBuf); //len;
bf_current_size = len;
bf_capacity_inc = capacity_inc;
Due to this error, it is possible to overflow this buffer through several
of the standard ftp commands available to the user (specifically 'USER',
'PASS' and 'CWD') followed by a string of data sized more than 4096 bytes.
This will kill the BlackMoon FTP service (which runs under the local SYSTEM
account) and allows for overwriting of EIP.
Solution:
Upgrade to BlackMoon FTP v1.5, Release #2, Build 1550. Get it from http://www.blackmoon.filetap.com/
Tested on against BlackMoon FTP v1.5 (Release #1 Build 1547). Vulnerable versions down to 1.0,
Release #1, Build 1115. Found by SNS Research.
