SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   WS_FTP Pro Vendors:   Ipswitch
(Version 8.03 is Vulnerable) WS_FTP Pro ASCII Mode Directory Listing Buffer Overflow May Let Remote Servers Execute Arbitrary Code
SecurityTracker Alert ID:  1009648
SecurityTracker URL:  http://securitytracker.com/id/1009648
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 3 2004
Impact:   Execution of arbitrary code via network, User access via network
Vendor Confirmed:  Yes  
Version(s): 8.03 and prior versions
Description:   A buffer overflow vulnerability was reported in the WS_FTP Pro client software. A remote server may be able to cause arbitrary code to be executed on a connected client.

It is reported that a remote FTP server can send specially crafted ASCII mode directory data to a connected client to trigger the overflow. If the returned data has more than 260 bytes without a terminating CR/LF (such as a long directory or file name), memory will be overwritten with user-supplied data, the report said. It may be possible to execute arbitrary code, but the report did not confirm that.

Impact:   A remote server may be able to execute arbitrary code on a connected client.
Solution:   The vendor issued a new version (8.03) to fix the flaw, but nesumin reported that 8.03 is still vulnerable [see the Source Message].
Vendor URL:  www.ipswitch.com/products/WS_FTP/index.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Mar 15 2004 WS_FTP Pro ASCII Mode Directory Listing Buffer Overflow May Let Remote Servers Execute Arbitrary Code



 Source Message Contents

Subject:  Re[2]: ws_ftp overflow (WS_FTP Pro 8.0.3 is vulnerable)


Hi all,

It have been confirmed by Oliver Schneider that "WS_FTP Pro 8.0.3 License
Version" is also vulnerable to this vulnerability.
(Thanks! Mr. Oliver ;-)


Regards,
nesumin


-----Original Message-----
From: nesumin@softhome.net
Sent: Wed, 17 Mar 2004 00:02:10 +0900
To: john layman <john@interteq.net>, bugtraq@securityfocus.com
Subject: Re: ws_ftp overflow


> Hello, john,
> 
> It seems vendor has tried to prevent this stack-based buffer overflow in
> version 8.0.3.0 by limiting our data's size less than 0x0200 bytes.
> But the size of buffer which they have allocated to treat our data was
> 0x0100 bytes only.
> As far as I have tested on WS_FTP Pro 8.0.3.0 Evaluation Version,
> I could execute the code by exploiting this vulnerability.
> 
> Therefore it appears that this vulnerability has not been solved yet
> though I don't know whether "Non Evaluation Version" is vulnerable
> or not.
> 
> By the way, I had reported the same vulnerability of "WS_FTP Pro 7.6.2.0"
> and prior versions to Ipswitch in 2003/05/08 although I could not get a
> good response.
> 
> 
> Regards,
> nesumin
> 
> 
> -----Original Message-----
> From: john layman <john@interteq.net>
> Sent: 14 Mar 2004 21:41:30 -0000
> To: bugtraq@securityfocus.com
> Subject: ws_ftp overflow
> 
> 
> > 
> > 
> > Product: WS_FTP Pro v8.02 and probably earlier versions.
> > Vendor:  Ipswitch
> > 
> > Vendor's Product Description:
> > 
> > WS_FTP Pro is the market leader in Windows-based FTP (file transfer protocol) client software. It enables users and organizations
 to move files between local and remote systems while enjoying the utmost in: 
> > 
> > Problem:
> > 
> > WS_FTP Pro suffers a buffer over-run when ASCII mode directory data is passed to the client from the server, and this data exceeds
 260 bytes without a terminating CR/LF.  The application crashes with an error stating "instruction at 0xNNNNNNNN has addressed memory
 at ..." where 0xNNNNNNNN is a value in the overflowed buffer; suggesting that it is possible to cause WS_FTP Pro to continue execution
 at another location in memory - arbitrary code execution (?)
> > 
> > This problem can be demonstrated by creation of a long filename or directory name (250 bytes or more) in the ftp directory on
 the server, connecting to it and viewing the directory listing.  
> > 
> > Fix:  
> > 
> > Ipswitch was contacted about this problem, and version 8.03 appears to have solved it.  Update!

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC