FlashFXP 5.3.0 Memory Corruption



EKU-ID: 5611 CVE: OSVDB-ID:
Author: Benjamin Kunz Mejri Published: 2016-06-14 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


Document Title:
===============
FlashFXP v5.3.0 (Windows) -  Memory Corruption Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1853


Release Date:
=============
2016-06-13


Vulnerability Laboratory ID (VL-ID):
====================================
1853


Common Vulnerability Scoring System:
====================================
5.1


Product & Service Introduction:
===============================
FlashFXP is a FTP, FTPS, SFTP client for Windows. Secure, reliable, and efficient file transfers.
Use FlashFXP to publish and maintain your website. Upload and download files, such as documents, 
photos, videos, music and more! Transfer or backup local and remote files, plus (FXP) server to 
server ftp transfers. FlashFXP offers unique and complimentary advanced features for client 
configuration. Share files with your friends and co-workers (FTP or SFTP server required).

(Copy of the Homepage: https://www.flashfxp.com/ )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a local memory corruption vulnerability in the official FlashFXP v5.3.0 windows software.


Vulnerability Disclosure Timeline:
==================================
2016-06-01: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2016-06-02: Vendor Notification (FlashFXP Security Team)
2016-**-**: Vendor Fix/Patch (FlashFXP Security Team)
2016-06-13: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
OpenSight Software
Product: FlashFXP - Software (Client) [Windows] 5.3.0 (Build 3932)


Exploitation Technique:
=======================
Local


Severity Level:
===============
Medium


Technical Details & Description:
================================
A local memory corruption vulnerability has been discovered in the official FlashFXP v5.3.0 windows software.
The vulnerability allows local attackers to compromise the software process by exploitation of a memory issue.

The vulnerability is located in the `Move file in queue` input function of the `Tools - Schedule - Plan` module.
The input of the `Move file in queue` function is able to compromise the `Tools - Schedule - Plan` module after 
successful exploitation. The `Move file in queue` function has no memory limitation on request only the regular 
exception-handling. Thus results in a unexpected out of memory exception were the attacker can continue to 
process the input. The error is saved into the new generated bug report because of the uncaught unknown exception.
The issue can be trigged automatically by a stable included scheduled plan to compromise or crash the process.

The security risk of the vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.1. 
Exploitation of the vulnerability requires a low privileged or restricted system user account without user interaction. 
Successful exploitation of the vulnerability results in unknown exceptions, software process crashs and process compromise.

Vulnerable Module(s):
				[+] Tools - Schedule - Plans

Vulnerable Input(s):
				[+] Move file in queue


Proof of Concept (PoC):
=======================
The memory corruption issue can be exploited by local attackers with low privileged system user account and without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1.  Install the newst flashfpx software version to your windows computer
2.  Open the software process with the interface
3.  Click on top to tools menu on top of the bar
4.  Open the schedule a plan option
5.  Add a new plan to the schedule list module
6.  Include to the in the `Move file in queue` input field a large unicode string as payload to exploit
7.  Save the entry and start the plan (right mouse click or push enter in the mask)
Note: Now the plan is processing the move file in queue input
8.  An exception occurs that shows the error message "Out of Memory" (Memory Corruption)
Note: The exception returns all the time and the software is crashed by a memory corruption
9.  Close the software and start the process again to approve the application-side attack vector
10. Open the tools and switch to the schedule option
11. The software crashs permanently with the save plan by an error exception
Note: The input has been saved since the corruption occurs and is stored!
12. Successful reproduce of the vulnerability!


--- Exception Handling Bug Report Records ---
date/time           : 2016-05-31, 19:16:47
computer name       : X01 Session 2016
user name           : Benjamin Kunz Mejri
operating system    : Windows 10 x64 build 10586
processors          : 4x Intel(R) Core(TM) i5-4210M CPU @ 2.60GHz
process id          : $354
allocated memory    : 2,92 GB
largest free block  : 222,84 MB
executable          : FlashFXP.exe
exec. date/time     : 2016-05-06 18:23
executable hash     : 08CFB10FC665C75047FE895D7517973D
version             : 5.3.0.3932
SSE2                : 1
WinOSCompatMode     : 0
ID                  : b07af5b3110aa75f4bd313454fd40c49
Install Mode        : Per User - User data folder
AppFolder           : C:Program Files (x86)FlashFXP 5
DataFolder          : C:UsersAdminAppDataRoamingFlashFXP5
TempFolder          : C:UsersAdminAppDataLocalTemp
Themes Available    : 1
Themes Active       : 1
App Instance Count  : 1
ANSI code page      : 1252
Thread locale       : 1031
User Default Locale : 1031
PixelsPerInch       : 96
ScreenReader        : 0
PrevBuild           : 0
MouseOverCtrl       : TQueueStorage.Queue
Active Form         : TFrmTskSchd (FrmTskSchd)
Forms               : TFrmTskSchd, TFrmMain, TTntForm
Active Ctrl         : TPTListView (LV)
APPE                : 0
WideChar Test       : 0
callstack crc       : $8fd89c21, $956cbda8, $15fea25c
exception number    : 1
exception class     : EOutOfMemory
exception message   : Out of memory.


Note: The report is generated by the process via software exception-handling


--- Vulnerable Process Log ---
00920000 FlashFXP.exe - 5.3.0.3932 - C:Program Files (x86)FlashFXP 5


--- CPU Registers Log ---
eax = 02fb1b50
ebx = 009ad6dd
ecx = cc5bedf0
edx = 009ad6dd
esi = 009ad6dd
edi = 005fdc34
eip = 009ad6dd
esp = 005fdbc8
ebp = 005fdc4c


--- Stack Dump Log ---
005fdbc8  dd d6 9a 00 de fa ed 0e - 01 00 00 00 07 00 00 00  ................
005fdbd8  dc db 5f 00 dd d6 9a 00 - 50 1b fb 02 dd d6 9a 00  .._.....P.......
005fdbe8  dd d6 9a 00 34 dc 5f 00 - 4c dc 5f 00 f8 db 5f 00  ....4._.L._..._.
005fdbf8  01 00 00 00 dc 17 92 00 - 04 00 00 00 30 b6 eb 02  ............0...
005fdc08  dd d6 9a 00 05 00 00 00 - 2c e4 5f 00 f8 3e c4 00  ........,._..>..
005fdc18  fa 55 c4 00 74 dc 5f 00 - f8 32 92 00 4c dc 5f 00  .U..t._..2..L._.
005fdc28  6c de 5f 00 6c de 5f 00 - 40 3e 8a 05 00 00 00 00  l._.l._.@>......
005fdc38  00 00 00 00 00 00 00 00 - 00 00 00 00 6c de 5f 00  ............l._.
005fdc48  40 3e 8a 05 a4 dd 5f 00 - 70 b6 c5 00 7c dc 5f 00  @>...._.p...|._.
005fdc58  00 00 00 00 6c de 5f 00 - 40 3e 8a 05 4e bc 00 00  ....l._.@>..N...
005fdc68  6c de 5f 00 40 3e 8a 05 - 29 da b6 00 e4 dd 5f 00  l._.@>..)....._.
005fdc78  37 34 92 00 a4 dd 5f 00 - 4e bc 00 00 6c de 5f 00  74...._.N...l._.
005fdc88  40 3e 8a 05 00 00 00 00 - c0 b6 33 01 00 00 00 00  @>........3.....
005fdc98  ac 47 78 75 fd 0b 01 c5 - da 01 00 00 1a 00 00 00  .Gxu............
005fdca8  01 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
005fdcb8  00 00 00 00 e8 03 00 00 - 00 00 00 00 ff ff ff ff  ................
005fdcc8  00 00 00 00 00 00 00 00 - c0 fa 2d 01 20 dd 5f 00  ..........-. ._.
005fdcd8  05 00 00 00 ff ff ff ff - c0 b6 33 01 00 00 00 00  ..........3.....
005fdce8  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
005fdcf8  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................


--- Disassembler Log ---
[...]
00c5b648        jmp     loc_c5b6a9
00c5b648
00c5b648      ; ---------------------------------------------------------
00c5b648
00c5b64a      loc_c5b64a:
00c5b64a 1396   cmp     word ptr [ebx+$3ca], 0
00c5b652        jz      loc_c5b667
00c5b652
00c5b654 1397   lea     ecx, [edx+$c]
00c5b657        mov     edx, ebx
00c5b659        mov     eax, [ebx+$3cc]
00c5b65f        call    dword ptr [ebx+$3c8]
00c5b65f
00c5b665        jmp     loc_c5b6b2
00c5b665
00c5b665      ; ---------------------------------------------------------
00c5b665
00c5b667      loc_c5b667:
00c5b667 1400   mov     edx, edi
00c5b669        mov     eax, ebx
00c5b66b      > call    -$1628c ($c453e4)      ; TntComCtrls.TTntCustomListView.CNNotify
00c5b66b
00c5b670        jmp     loc_c5b6b2
00c5b670
00c5b670      ; ---------------------------------------------------------
00c5b670
00c5b672      loc_c5b672:
00c5b672 1411   cmp     word ptr [ebx+$482], 0
00c5b67a        jz      loc_c5b69e
00c5b67a
00c5b67c 1413   push    esp
00c5b67d        call    -$333d1e ($927964)     ; Windows.GetCursorPos
00c5b67d
00c5b682 1414   lea     ecx, [esp+8]
00c5b686        mov     edx, esp
00c5b688        mov     eax, ebx
00c5b68a        call    -$ef6eb ($b6bfa4)      ; Controls.TControl.ScreenToClient
00c5b68a
00c5b68f        lea     edx, [esp+8]
00c5b693        mov     eax, ebx
00c5b695        mov     si, $ffaa
[...]


Solution - Fix & Patch:
=======================
The vulnerability can be patched by an allocate of the memory or limitation and restriction of the vulnerable input fields.
Disallow to continue the process input via debugger to prevent exploitation of the memory corruption issue.


Security Risk:
==============
The security risk of the local memory corruption vulnerability in the schedule plan module of the software is estimated as medium. (CVSS 5.1)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (research@vulnerability-lab.com) [http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, 
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, 
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised 
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing 
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com 		- www.vuln-lab.com 						- www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 				- admin@evolution-sec.com
Section:    magazine.vulnerability-lab.com 	- vulnerability-lab.com/contact.php 				- evolution-sec.com/contact
Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically 
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or 
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific 
authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.

				    Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™


-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com