Gene6 FTP Server Forum: Alert from Symantec - Gene6 FTP Server Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Alert from Symantec Symantec published a vulnerability alert. Rate Topic: -----

#1 User is offline   Joakim Andersson 

  • New Member
  • Group: Registered Users
  • Posts: 1
  • Joined: 27-April 06

Posted 04 May 2006 - 07:18 AM

Hi all.

I run G6FTP v3.6 (v3.7 in test).

I got this from Symantec yesterday:
Is this fixed in newer version of the FTP-server? (It's detected in 3.1)



QUOTE
Hash: SHA1

Symantec Vulnerability Alert

Gene6 FTP Server Multiple Commands Remote Buffer Overflow Vulnerabilities
Bugtraq ID 17810
CVE CVE-MAP-NOMATCH
Published May 03 2006
Last Update 03/05/2006 4:36:51 PM GMT
Remote Yes
Local No
Credibility Single Source
Classification Boundary Condition Error
Ease Exploit Available
Availability Always
Authentication Not Required

Impact 8 Severity 8.9 Urgency Rating 7.6

Last Change Initial analysis

Vulnerable Systems
- ------------------
Gene6 G6 FTP Server 3.1.0


Short Summary
- -------------
Gene6 FTP Server is prone to multiple buffer overflow vulnerabilities;
code execution may be possible.

Impact
- ------
A remote attacker may execute arbitrary code on an affected computer with
the privileges of the FTP server process.

Technical Description
- ---------------------
Gene6 FTP Server is an FTP server available for the Microsoft Windows
platform.

Gene6 FTP Server is prone to multiple buffer overflow vulnerabilities
when handling data through the 'MKD', 'RMD', 'XMKD', and 'XRMD'
commands.

It is reported that passing excessive data may overflow a finite sized
internal memory buffer. A successful attack may result in memory
corruption as memory adjacent to the buffer is overwritten with
user-supplied data.

These issues may lead to a denial of service condition or the execution
of arbitrary code.

This issue is reported to affect version 3.1.0; other versions may also
be vulnerable.


Attack Scenarios
- ----------------
1. To carry out an attack, the attacker requires credentials to access an
affected server. These issues may be exploited anonymously when
anonymous access is enabled.

2. The attacker supplies excessive data as an argument to any of the
vulnerable commands. This data will likely contain an embedded payload
and return addresses designed to influence the execution flow of the
process.

3. When processed, this data may trigger a buffer overflow, effectively
corrupting memory and potentially causing the process to return into the
attacker-supplied payload. This can effectively result in the execution
of arbitrary code with the privileges of the FTP server.

Exploits
- --------
This issue can be triggered through use of the Infigo FTPStress Fuzzer.





Mitigating Strategies
- ---------------------
Block external access at the network boundary, unless external parties
require service.
If possible, restrict remote access to the server at the network
perimeter. Only allow trusted computers and networks to have access to
the resources.

Disallow anonymous access to services. Permit access for trusted
individuals only.
Disable anonymous access to FTP services.

Run all software as a non-privileged user with minimal access rights.
Invoke all server software with the least privileges required to
function. This will limit the effects of a successful compromise.

Implement multiple redundant layers of security.
Memory protection schemes such as non-executable stack and heap
configurations and randomly mapped memory segments will complicate
exploitation of memory corruption vulnerabilities.


Solutions
- ---------
Currently we are not aware of any vendor-supplied patches for this issue.
If you feel we are in error or are aware of more recent information,
please mail us at: vuldb@securityfocus.com
<mailto:vuldb@securityfocus.com>.


Credit
- ------
Alexey Biznya is credited with the discovery of these vulnerabilities.

References
- ----------
Message
Re: FTP Fuzzer (Alexey Biznya)
http://www.securityfocus.com/archive/1/445...4.90509@krw.rzd

Web Page: Infigo FTPStress Fuzzer (Infigo) Infigo
http://www.infigo.hr/en/in_focus/tools

Web Page:gene6 G6 FTP Server homepage (Gene6) Gene6
http://www.gene6.com/g6ftpd/index.html


Change Log
- ----------
2006.05.03: Initial analysis

URL
- ---
https://alerts.symantec.com/loaddocument.as...24-cc56a10ac3de



View public key at:
https://alerts.symantec.com/gpgkey.aspx

0

#2 User is offline   Matthieu 

  • Addicted Member
  • Group: Staff
  • Posts: 1964
  • Joined: 22-October 03
  • Gender:Male
  • Location:France : Mouy
  • Interests:Science-fiction, World news

Posted 04 May 2006 - 12:11 PM

Thank you for reporting it, I discovered the problem reading your post, we were not contacted by Symantec ...

We're investigating the problem and we'll produce a new version to correct it as soon as possible.
Gene6, SARL
Do not use PM to ask for support, use the forum or support email.

Special offer : 10% discount with coupon code : DISCOUNT
0

#3 User is offline   Matthieu 

  • Addicted Member
  • Group: Staff
  • Posts: 1964
  • Joined: 22-October 03
  • Gender:Male
  • Location:France : Mouy
  • Interests:Science-fiction, World news

Posted 04 May 2006 - 03:22 PM

Version 3.8 has been released to fix this problem : http://www.g6ftpserver.com/forum/index.php?showtopic=2515
Gene6, SARL
Do not use PM to ask for support, use the forum or support email.

Special offer : 10% discount with coupon code : DISCOUNT
0

#4 User is offline   Ruhe 

  • Confirmed Member
  • Group: Beta Testers
  • Posts: 300
  • Joined: 07-May 04
  • Gender:Male
  • Location:Germany

Posted 04 May 2006 - 08:42 PM

I'm not sure I understood the problem but... current v3.8.0.34

Sometimes the output in ftpfuzz stops for some seconds



At some point:
------------------------------------------------


[ USER: [test] ]

[ PASS: [test] ]
[ CMD: [MKD] FUZZ: [A:123456A:123456A:12] SIZE: 120000 ]
[ Connecting to 192.168.2.33:21... ]
[ Connected, starting fuzz process... ]

[ USER: [test] ]

[ PASS: [test] ]
[ CMD: [MKD] FUZZ: [A:123456A:123456A:12] SIZE: 200000 ]
[ Connecting to 192.168.2.33:21... ]
[ Connected, starting fuzz process... ]

[ USER: [test] ]

[ PASS: [test] ]
[ CMD: [MKD] FUZZ: [A
A
A
A
A
A
A
A
A
A
] SIZE: 30 ]
[ Connecting to 192.168.2.33:21... ]
[ Connected, starting fuzz process... ]

[ USER: [test] ]

[ PASS: [test] ]
[ CMD: [MKD] FUZZ: [A
A
A
A
A
A
A
A
A
A
] SIZE: 70 ]
[ Connecting to 192.168.2.33:21... ]
[ Connected, starting fuzz process... ]




and so on

Attached thumbnail(s)

  • Attached Image: g6.png
  • Attached Image: g6_2.png
  • Attached Image: g6_3.png

This post has been edited by Ruhe: 04 May 2006 - 08:46 PM

0

#5 User is offline   Nabla 

  • Confirmed Member
  • Group: Registered Users
  • Posts: 454
  • Joined: 31-August 05
  • Location:En France

Posted 06 May 2006 - 09:46 AM

It seems the tester can not login in your case Ruhe, I think it requires an account.
Errors are the best teachers.
0

#6 User is offline   Ruhe 

  • Confirmed Member
  • Group: Beta Testers
  • Posts: 300
  • Joined: 07-May 04
  • Gender:Male
  • Location:Germany

Posted 06 May 2006 - 09:56 AM

Sure, I know. But the results look not very different to 3.7 for me so I would like to know how to reproduce it or for what to look for. (in v3.7 and v3.8).
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users