Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (File Transfer/Sharing)  >   WS_FTP Pro Vendors:   Ipswitch
WS_FTP Pro ASCII Mode Directory Listing Buffer Overflow May Let Remote Servers Execute Arbitrary Code
SecurityTracker Alert ID:  1009424
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Apr 3 2004
Original Entry Date:  Mar 15 2004
Impact:   Execution of arbitrary code via network, User access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 8.02
Description:   A buffer overflow vulnerability was reported in the WS_FTP Pro client software. A remote server may be able to cause arbitrary code to be executed on a connected client.

It is reported that a remote FTP server can send specially crafted ASCII mode directory data to a connected client to trigger the overflow. If the returned data has more than 260 bytes without a terminating CR/LF (such as a long directory or file name), memory will be overwritten with user-supplied data, the report said. It may be possible to execute arbitrary code, but the report did not confirm that.

Impact:   A remote server may be able to execute arbitrary code on a connected client.
Solution:   The vendor issued a new version (8.03) to fix the flaw, but nesumin reported that 8.03 is still vulnerable [see the Message History].
Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 3 2004 (Version 8.03 is Vulnerable) WS_FTP Pro ASCII Mode Directory Listing Buffer Overflow May Let Remote Servers Execute Arbitrary Code
nesumin reported that the ostensibly fixed version (8.03) is still affected.

 Source Message Contents

Subject:  ws_ftp overflow

Product: WS_FTP Pro v8.02 and probably earlier versions.
Vendor:  Ipswitch

Vendor's Product Description:

WS_FTP Pro is the market leader in Windows-based FTP (file transfer protocol) client software. It enables users and organizations
 to move files between local and remote systems while enjoying the utmost in: 


WS_FTP Pro suffers a buffer over-run when ASCII mode directory data is passed to the client from the server, and this data exceeds
 260 bytes without a terminating CR/LF.  The application crashes with an error stating "instruction at 0xNNNNNNNN has addressed memory
 at ..." where 0xNNNNNNNN is a value in the overflowed buffer; suggesting that it is possible to cause WS_FTP Pro to continue execution
 at another location in memory - arbitrary code execution (?)

This problem can be demonstrated by creation of a long filename or directory name (250 bytes or more) in the ftp directory on the
 server, connecting to it and viewing the directory listing.  


Ipswitch was contacted about this problem, and version 8.03 appears to have solved it.  Update!


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC