Document Title: =============== FlashFXP v5.3.0 (Windows) - Memory Corruption Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1853 Release Date: ============= 2016-06-13 Vulnerability Laboratory ID (VL-ID): ==================================== 1853 Common Vulnerability Scoring System: ==================================== 5.1 Product & Service Introduction: =============================== FlashFXP is a FTP, FTPS, SFTP client for Windows. Secure, reliable, and efficient file transfers. Use FlashFXP to publish and maintain your website. Upload and download files, such as documents, photos, videos, music and more! Transfer or backup local and remote files, plus (FXP) server to server ftp transfers. FlashFXP offers unique and complimentary advanced features for client configuration. Share files with your friends and co-workers (FTP or SFTP server required). (Copy of the Homepage: https://www.flashfxp.com/ ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a local memory corruption vulnerability in the official FlashFXP v5.3.0 windows software. Vulnerability Disclosure Timeline: ================================== 2016-06-01: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH) 2016-06-02: Vendor Notification (FlashFXP Security Team) 2016-**-**: Vendor Fix/Patch (FlashFXP Security Team) 2016-06-13: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== OpenSight Software Product: FlashFXP - Software (Client) [Windows] 5.3.0 (Build 3932) Exploitation Technique: ======================= Local Severity Level: =============== Medium Technical Details & Description: ================================ A local memory corruption vulnerability has been discovered in the official FlashFXP v5.3.0 windows software. The vulnerability allows local attackers to compromise the software process by exploitation of a memory issue. The vulnerability is located in the `Move file in queue` input function of the `Tools - Schedule - Plan` module. The input of the `Move file in queue` function is able to compromise the `Tools - Schedule - Plan` module after successful exploitation. The `Move file in queue` function has no memory limitation on request only the regular exception-handling. Thus results in a unexpected out of memory exception were the attacker can continue to process the input. The error is saved into the new generated bug report because of the uncaught unknown exception. The issue can be trigged automatically by a stable included scheduled plan to compromise or crash the process. The security risk of the vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.1. Exploitation of the vulnerability requires a low privileged or restricted system user account without user interaction. Successful exploitation of the vulnerability results in unknown exceptions, software process crashs and process compromise. Vulnerable Module(s): [+] Tools - Schedule - Plans Vulnerable Input(s): [+] Move file in queue Proof of Concept (PoC): ======================= The memory corruption issue can be exploited by local attackers with low privileged system user account and without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Install the newst flashfpx software version to your windows computer 2. Open the software process with the interface 3. Click on top to tools menu on top of the bar 4. Open the schedule a plan option 5. Add a new plan to the schedule list module 6. Include to the in the `Move file in queue` input field a large unicode string as payload to exploit 7. Save the entry and start the plan (right mouse click or push enter in the mask) Note: Now the plan is processing the move file in queue input 8. An exception occurs that shows the error message "Out of Memory" (Memory Corruption) Note: The exception returns all the time and the software is crashed by a memory corruption 9. Close the software and start the process again to approve the application-side attack vector 10. Open the tools and switch to the schedule option 11. The software crashs permanently with the save plan by an error exception Note: The input has been saved since the corruption occurs and is stored! 12. Successful reproduce of the vulnerability! --- Exception Handling Bug Report Records --- date/time : 2016-05-31, 19:16:47 computer name : X01 Session 2016 user name : Benjamin Kunz Mejri operating system : Windows 10 x64 build 10586 processors : 4x Intel(R) Core(TM) i5-4210M CPU @ 2.60GHz process id : $354 allocated memory : 2,92 GB largest free block : 222,84 MB executable : FlashFXP.exe exec. date/time : 2016-05-06 18:23 executable hash : 08CFB10FC665C75047FE895D7517973D version : 5.3.0.3932 SSE2 : 1 WinOSCompatMode : 0 ID : b07af5b3110aa75f4bd313454fd40c49 Install Mode : Per User - User data folder AppFolder : C:Program Files (x86)FlashFXP 5 DataFolder : C:UsersAdminAppDataRoamingFlashFXP5 TempFolder : C:UsersAdminAppDataLocalTemp Themes Available : 1 Themes Active : 1 App Instance Count : 1 ANSI code page : 1252 Thread locale : 1031 User Default Locale : 1031 PixelsPerInch : 96 ScreenReader : 0 PrevBuild : 0 MouseOverCtrl : TQueueStorage.Queue Active Form : TFrmTskSchd (FrmTskSchd) Forms : TFrmTskSchd, TFrmMain, TTntForm Active Ctrl : TPTListView (LV) APPE : 0 WideChar Test : 0 callstack crc : $8fd89c21, $956cbda8, $15fea25c exception number : 1 exception class : EOutOfMemory exception message : Out of memory. Note: The report is generated by the process via software exception-handling --- Vulnerable Process Log --- 00920000 FlashFXP.exe - 5.3.0.3932 - C:Program Files (x86)FlashFXP 5 --- CPU Registers Log --- eax = 02fb1b50 ebx = 009ad6dd ecx = cc5bedf0 edx = 009ad6dd esi = 009ad6dd edi = 005fdc34 eip = 009ad6dd esp = 005fdbc8 ebp = 005fdc4c --- Stack Dump Log --- 005fdbc8 dd d6 9a 00 de fa ed 0e - 01 00 00 00 07 00 00 00 ................ 005fdbd8 dc db 5f 00 dd d6 9a 00 - 50 1b fb 02 dd d6 9a 00 .._.....P....... 005fdbe8 dd d6 9a 00 34 dc 5f 00 - 4c dc 5f 00 f8 db 5f 00 ....4._.L._..._. 005fdbf8 01 00 00 00 dc 17 92 00 - 04 00 00 00 30 b6 eb 02 ............0... 005fdc08 dd d6 9a 00 05 00 00 00 - 2c e4 5f 00 f8 3e c4 00 ........,._..>.. 005fdc18 fa 55 c4 00 74 dc 5f 00 - f8 32 92 00 4c dc 5f 00 .U..t._..2..L._. 005fdc28 6c de 5f 00 6c de 5f 00 - 40 3e 8a 05 00 00 00 00 l._.l._.@>...... 005fdc38 00 00 00 00 00 00 00 00 - 00 00 00 00 6c de 5f 00 ............l._. 005fdc48 40 3e 8a 05 a4 dd 5f 00 - 70 b6 c5 00 7c dc 5f 00 @>...._.p...|._. 005fdc58 00 00 00 00 6c de 5f 00 - 40 3e 8a 05 4e bc 00 00 ....l._.@>..N... 005fdc68 6c de 5f 00 40 3e 8a 05 - 29 da b6 00 e4 dd 5f 00 l._.@>..)....._. 005fdc78 37 34 92 00 a4 dd 5f 00 - 4e bc 00 00 6c de 5f 00 74...._.N...l._. 005fdc88 40 3e 8a 05 00 00 00 00 - c0 b6 33 01 00 00 00 00 @>........3..... 005fdc98 ac 47 78 75 fd 0b 01 c5 - da 01 00 00 1a 00 00 00 .Gxu............ 005fdca8 01 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 005fdcb8 00 00 00 00 e8 03 00 00 - 00 00 00 00 ff ff ff ff ................ 005fdcc8 00 00 00 00 00 00 00 00 - c0 fa 2d 01 20 dd 5f 00 ..........-. ._. 005fdcd8 05 00 00 00 ff ff ff ff - c0 b6 33 01 00 00 00 00 ..........3..... 005fdce8 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 005fdcf8 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ --- Disassembler Log --- [...] 00c5b648 jmp loc_c5b6a9 00c5b648 00c5b648 ; --------------------------------------------------------- 00c5b648 00c5b64a loc_c5b64a: 00c5b64a 1396 cmp word ptr [ebx+$3ca], 0 00c5b652 jz loc_c5b667 00c5b652 00c5b654 1397 lea ecx, [edx+$c] 00c5b657 mov edx, ebx 00c5b659 mov eax, [ebx+$3cc] 00c5b65f call dword ptr [ebx+$3c8] 00c5b65f 00c5b665 jmp loc_c5b6b2 00c5b665 00c5b665 ; --------------------------------------------------------- 00c5b665 00c5b667 loc_c5b667: 00c5b667 1400 mov edx, edi 00c5b669 mov eax, ebx 00c5b66b > call -$1628c ($c453e4) ; TntComCtrls.TTntCustomListView.CNNotify 00c5b66b 00c5b670 jmp loc_c5b6b2 00c5b670 00c5b670 ; --------------------------------------------------------- 00c5b670 00c5b672 loc_c5b672: 00c5b672 1411 cmp word ptr [ebx+$482], 0 00c5b67a jz loc_c5b69e 00c5b67a 00c5b67c 1413 push esp 00c5b67d call -$333d1e ($927964) ; Windows.GetCursorPos 00c5b67d 00c5b682 1414 lea ecx, [esp+8] 00c5b686 mov edx, esp 00c5b688 mov eax, ebx 00c5b68a call -$ef6eb ($b6bfa4) ; Controls.TControl.ScreenToClient 00c5b68a 00c5b68f lea edx, [esp+8] 00c5b693 mov eax, ebx 00c5b695 mov si, $ffaa [...] Solution - Fix & Patch: ======================= The vulnerability can be patched by an allocate of the memory or limitation and restriction of the vulnerable input fields. Disallow to continue the process input via debugger to prevent exploitation of the memory corruption issue. Security Risk: ============== The security risk of the local memory corruption vulnerability in the schedule plan module of the software is estimated as medium. (CVSS 5.1) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (research@vulnerability-lab.com) [http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission. Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com