Document Title: =============== FlashFXP v5.3.0 (Windows) - Memory Corruption Vulnerability References (Source): ==================== http://ift.tt/1trXd6f Release Date: ============= 2016-06-13 Vulnerability Laboratory ID (VL-ID): ==================================== 1853 Common Vulnerability Scoring System: ==================================== 5.1 Product & Service Introduction: =============================== FlashFXP is a FTP, FTPS, SFTP client for Windows. Secure, reliable, and efficient file transfers. Use FlashFXP to publish and maintain your website. Upload and download files, such as documents, photos, videos, music and more! Transfer or backup local and remote files, plus (FXP) server to server ftp transfers. FlashFXP offers unique and complimentary advanced features for client configuration. Share files with your friends and co-workers (FTP or SFTP server required). (Copy of the Homepage: http://ift.tt/1VUZj9t ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a local memory corruption vulnerability in the official FlashFXP v5.3.0 windows software. Vulnerability Disclosure Timeline: ================================== 2016-06-01: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH) 2016-06-02: Vendor Notification (FlashFXP Security Team) 2016-**-**: Vendor Fix/Patch (FlashFXP Security Team) 2016-06-13: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== OpenSight Software Product: FlashFXP - Software (Client) [Windows] 5.3.0 (Build 3932) Exploitation Technique: ======================= Local Severity Level: =============== Medium Technical Details & Description: ================================ A local memory corruption vulnerability has been discovered in the official FlashFXP v5.3.0 windows software. The vulnerability allows local attackers to compromise the software process by exploitation of a memory issue. The vulnerability is located in the `Move file in queue` input function of the `Tools - Schedule - Plan` module. The input of the `Move file in queue` function is able to compromise the `Tools - Schedule - Plan` module after successful exploitation. The `Move file in queue` function has no memory limitation on request only the regular exception-handling. Thus results in a unexpected out of memory exception were the attacker can continue to process the input. The error is saved into the new generated bug report because of the uncaught unknown exception. The issue can be trigged automatically by a stable included scheduled plan to compromise or crash the process. The security risk of the vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.1. Exploitation of the vulnerability requires a low privileged or restricted system user account without user interaction. Successful exploitation of the vulnerability results in unknown exceptions, software process crashs and process compromise. Vulnerable Module(s): [+] Tools - Schedule - Plans Vulnerable Input(s): [+] Move file in queue Proof of Concept (PoC): ======================= The memory corruption issue can be exploited by local attackers with low privileged system user account and without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Install the newst flashfpx software version to your windows computer 2. Open the software process with the interface 3. Click on top to tools menu on top of the bar 4. Open the schedule a plan option 5. Add a new plan to the schedule list module 6. Include to the in the `Move file in queue` input field a large unicode string as payload to exploit 7. Save the entry and start the plan (right mouse click or push enter in the mask) Note: Now the plan is processing the move file in queue input 8. An exception occurs that shows the error message "Out of Memory" (Memory Corruption) Note: The exception returns all the time and the software is crashed by a memory corruption 9. Close the software and start the process again to approve the application-side attack vector 10. Open the tools and switch to the schedule option 11. The software crashs permanently with the save plan by an error exception Note: The input has been saved since the corruption occurs and is stored! 12. Successful reproduce of the vulnerability!
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment