Critical WFTPD buffer overflow vulnerability

From: axl rose (rdxaxl_at_hotmail.com)
Date: 02/28/04

  • Next message: Martin Mačok: "[Full-Disclosure] secure downloading of patches (Re: Knocking Microsoft)"
    To: full-disclosure@lists.netsys.com, bugtraq@securityfocus.com
    Date: Sat, 28 Feb 2004 21:52:33 +0000
    
    
    

    Name of Advisory: Critical WFTPD buffer overflow vulnerability
    Severity: Critical
    Discoverer: axl (rdxaxl@hotmail.com)
    Released: Today
    Vendor Notified: Today

    WFTPD who? what? when?
    ~~~~~~~~~~~~~~~~~~~~~~
    Vendor quote: "WFTPD Server has been a leading FTP server for Windows since
    it was released in 1993. Its stability and security have long been relied
    on by technology companies, educational institutions, government
    departments, individuals and others, to provide a secure FTP site."

    Tested versions
    ~~~~~~~~~~~~~~~
    - WFTPD Pro Server 3.21 Release 1 (trial) (latest version)
    - WFTPD Pro Server 3.20 Release 2 (trial)
    - WFTPD Server 3.21 Release 1 (trial) (latest version)
    - WFTPD Server 3.10 Release 1 (trial)

    All tested versions are vulnerable. Other versions may also be vulnerable.

    Overview
    ~~~~~~~~
    There's a stack based buffer overflow vulnerability that a remote attacker
    can exploit to execute arbitrary code on the remote system running the
    vulnerable WFTPD server software. For WFTPD Pro Server, the code will
    execute as SYSTEM, and for WFTPD Server, the code will execute as the user
    who started the server.

    Vulnerability details
    ~~~~~~~~~~~~~~~~~~~~~
    The vulnerable FTP commands are LIST, NLST, and STAT. The user must be
    logged in as any user unless the Secure option in the registry is 0.

    There's special code to check if the first argument's first character is
    equal to '-'. If it is, and there's a ' ' character at some later position,
    we'll execute this vulnerable code (WFTPD Pro trial v3.21.1.1). For the
    programming challenged people, I've added comments:

    004034B8 MOV EAX,[EBP+8] ; strchr(userbuf, ' ')
    004034BB SUB EAX,ESI
    004034BD DEC EAX ; num bytes to copy
    004034BE CMP EAX,EDI ; (below) jump if num bytes to copy
    004034C0 JLE SHORT 004034C4 ; is <= max_len - 2
    004034C2 MOV EDI,EAX
    004034C4 PUSH EDI ; max(max_len - 2, num bytes to copy)
    004034C5 INC ESI ; don't copy '-'
    004034C6 PUSH ESI ; &userbuf[1]
    004034C7 PUSH EBX ; &dest[1] on the stack
    004034C8 CALL memcpy

    Anything between the first '-' char to the first ' ' char can be copied to
    the string. This string only has room for 31 characters and a terminating
    null byte. Obviously, the programmer mistakenly used max() instead of min().

    Exploit
    ~~~~~~~
    See attached source code.

    _________________________________________________________________
    Store more e-mails with MSN Hotmail Extra Storage – 4 plans to choose from!
    http://click.atdmt.com/AVE/go/onm00200362ave/direct/01/

    
    



  • Next message: Martin Mačok: "[Full-Disclosure] secure downloading of patches (Re: Knocking Microsoft)"

    Relevant Pages

    • Critical WFTPD buffer overflow vulnerability
      ... Critical WFTPD buffer overflow vulnerability ... "WFTPD Server has been a leading FTP server for Windows since ... There's a stack based buffer overflow vulnerability that a remote attacker ... execute as SYSTEM, and for WFTPD Server, the code will execute as the user ...
      (Bugtraq)
    • [Full-Disclosure] Critical WFTPD buffer overflow vulnerability
      ... Critical WFTPD buffer overflow vulnerability ... "WFTPD Server has been a leading FTP server for Windows since ... There's a stack based buffer overflow vulnerability that a remote attacker ... execute as SYSTEM, and for WFTPD Server, the code will execute as the user ...
      (Full-Disclosure)
    • Multiple WFTPD Denial of Service vulnerabilities
      ... Multiple WFTPD Denial of Service vulnerabilities ... "WFTPD Server has been a leading FTP server for Windows since ... DoS vulnerability allows an attacker to send a special string to crash ... Whenever the buffer is too small for one FTP command line, ...
      (Bugtraq)
    • [Full-Disclosure] Multiple WFTPD Denial of Service vulnerabilities
      ... Multiple WFTPD Denial of Service vulnerabilities ... "WFTPD Server has been a leading FTP server for Windows since ... DoS vulnerability allows an attacker to send a special string to crash ... Whenever the buffer is too small for one FTP command line, ...
      (Full-Disclosure)
    • Multiple WFTPD Denial of Service vulnerabilities
      ... Multiple WFTPD Denial of Service vulnerabilities ... "WFTPD Server has been a leading FTP server for Windows since ... DoS vulnerability allows an attacker to send a special string to crash ... Whenever the buffer is too small for one FTP command line, ...
      (Full-Disclosure)