关联漏洞
标题:
Xlight FTP 安全漏洞
(CVE-2024-46483)
描述:Xlight FTP是Xlight FTP公司的一款高性能且易于使用的 FTP 服务器软件。使文件传输安全且易于使用。 Xlight FTP 3.9.4.3之前版本存在安全漏洞,该漏洞源于SFTP服务器包解析逻辑中的整数溢出,可能导致使用攻击者控制的内容进行堆溢出。
描述
Pre-Authentication Heap Overflow in Xlight SFTP server <= 3.9.4.2
介绍
# CVE-2024-46483 - Pre-Authentication Heap Overflow in Xlight SFTP server
### Affected versions
Xlight 32 and 64-bit versions <= 3.9.4.2
### Impact
An unauthenticated attacker with access to Xlight SFTP could gain code execution or cause a denial or service.
### Root Cause
Strings sent across the wire in the SFTP protocol are prefixed with a four byte length. The function which Xlight uses to read these strings from the network packet has an integer overflow when validating the length and when allocating the required amount of memory. By crafting the four byte length for a string we can trigger a large memmove (~4GB) from an attacker-controlled buffer out-of-bounds onto the heap.
The vulnerable function is used for receiving strings throughout the SSH handshake, including pre-authentication when receiving supported algorithms, cipher suites, and a username and password from the client. We can target any of these strings with a crafted length to trigger the exploit.
### Exploitability
This is easy to trigger but the ease of exploitation depends on the bitness of the Xlight binary.
On 32-bit the copy will run off the end of the heap, clobbering everything in the process, before causing a crash. It is likely possible to corrupt an adjacent structure on the heap and exploit the multi-threaded nature of this server to access the corrupted data, before the wild copy crashes the process.
On 64-bit we can't get an OOB write, because the size argument to the memory allocation call is a size_t (i.e. 64-bits wide when compiled for 64-bit), which means we can't overflow this value with the addition of two 32-bit integers, and instead we just allocate a large ~4GB buffer. This bug results in an OOB read instead, which crashes the process.
文件快照
[4.0K] /data/pocs/a7821b023a1bd6fd68174f8155be75b958652a8d
├── [ 724] exploit.py
├── [1.7K] README.md
├── [ 15] requirements.txt
└── [8.4M] xlight_sftp_heap_overflow.gif
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。