@stake advisory: WS_FTP SITE CPWD Buffer Overflow vulnerability (a090902-1)

From: @stake advisories (@stake)
Date: Thu Aug 08 2002 - 09:20:15 PDT

Next message: secureat_private: "[CLA-2002:516] Conectiva Linux Security Announcement - openssl"

Previous message: GreyMagic Software: "Exploiting the Google toolbar (GM#001-MC)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                               @stake, Inc.
                             www.atstake.com

                            Security Advisory


Advisory Name: WS_FTP SITE CPWD Buffer Overflow vulnerability
 Release Date: 08/08/2002
  Application: WS_FTP SERVER 3.1.1
     Platform: Windows NT/2000/XP
     Severity: A buffer overflow occurs allowing the
               remote execution of arbitrary code
       Author: Andreas Junestam (andreasat_private)
Vendor Status: Patch is released
CVE Candidate: CAN-2002-0826
    Reference: www.atstake.com/research/advisories/2002/a080802-1.txt


Overview:

WS_FTP Server is a widely used FTP Server for the Microsoft
NT/2000/XP platform.

There exists a vulnerability within the software, which allows an
attacker to overwrite the return address on the stack, thus taking
control of the execution flow. This allows the attacker to run
arbitrary code on the system remotely


Detailed Description:

The WS_FTP Server allows users to change their password through
a site command, "site cpwd". The code handling the argument supplied
with this site command contains an unchecked string copy, allowing
an attacker to overwrite the return address stored on the stack.
Since the WS_FTP Server is running as a service, in most cases it will
be executing as SYSTEM.

The feature to allow user to change their passwords is enabled by
deafult, but it is possible for a WS_FTP Server administrator to turn
this functionality off.


Vendor Response:

This issue was reported to Ipswitch on July 25, 2002 and a patch was
produced short thereafter.


Recommendation:

Install the patch provided by Ipswitch:
ftp://ftp.ipswitch.com/ipswitch/product_support/WS_FTP_Server/ifs312.exe

For more info, see:
http://www.ipswitch.com/Support/WS_FTP-Server/patch-upgrades.html

Also, consider turning off all unused features and run the software
under a less privileged account.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has
assigned the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

  CAN-2002-0926 WS_FTP SITE CPWD Buffer Overflow vulnerability

@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

Copyright 2002 @stake, Inc. All rights reserved.



-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3 

iQA/AwUBPVJ5SEe9kNIfAm4yEQJ45QCg8ZQeT5YBnM+M828g4/ADvDjQhqsAoLBj
8/7ChofztBBYnruT3tu62Kgr
=WJ3k
-----END PGP SIGNATURE-----

Next message: secureat_private: "[CLA-2002:516] Conectiva Linux Security Announcement - openssl"
Previous message: GreyMagic Software: "Exploiting the Google toolbar (GM#001-MC)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 08 2002 - 09:44:23 PDT