[NT] WS_FTP SITE CPWD Buffer Overflow Vulnerability

From: support@securiteam.com
Date: 08/10/02


From: support@securiteam.com
To: list@securiteam.com
Date: Sat, 10 Aug 2002 22:41:17 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  WS_FTP SITE CPWD Buffer Overflow Vulnerability
------------------------------------------------------------------------

SUMMARY

WS_FTP Server is a widely used FTP Server for the Microsoft NT/2000/XP
platform. There exists a vulnerability within the software, which allows
an attacker to overwrite the return address on the stack, thus taking
control of the execution flow. This allows the attacker to run arbitrary
code on the system remotely.

DETAILS

Vulnerable systems:
 * WS_FTP Server version 3.1.1

The WS_FTP Server allows users to change their password through a site
command, "site cpwd". The code handling the argument supplied with this
site command contains an unchecked string copy, allowing an attacker to
overwrite the return address stored on the stack. Since the WS_FTP Server
is running as a service, in most cases it will be executing as SYSTEM.

The feature to allow user to change their passwords is enabled by default,
but it is possible for a WS_FTP Server administrator to turn this
functionality off.

Vendor response:
This issue was reported to Ipswitch on July 25, 2002 and a patch was
produced short thereafter.

Recommendation:
Install the patch provided by Ipswitch:
 
<ftp://ftp.ipswitch.com/ipswitch/product_support/WS_FTP_Server/ifs312.exe>
ftp://ftp.ipswitch.com/ipswitch/product_support/WS_FTP_Server/ifs312.exe

For more info, see:
 <http://www.ipswitch.com/Support/WS_FTP-Server/patch-upgrades.html>
http://www.ipswitch.com/Support/WS_FTP-Server/patch-upgrades.html

Also, consider turning off all unused features and run the software under
a less privileged account.

ADDITIONAL INFORMATION

The information has been provided by <mailto:andreas@atstake.com> Andreas
Junestam.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • RE: Is this as bad as it seems?
    ... The network being protected by the router or firewall is still vulnerable to ... > circumvented - the administrator has explicitly allowed HTTP traffic on ... this exploit has the effect of allowing the attacker to send *INBOUND* HTTP ... The HTTP server (located on the internal network or anywhere else that is ...
    (Security-Basics)
  • [NEWS] Firewall Circumvention Possible with All Browsers
    ... The exploit allows an attacker to use any JavaScript-enabled web browser ... any HTTP server behind the firewall. ... outlined in the section "Quick-Swap DNS". ... If the client in use is Microsoft Internet Explorer, ...
    (Securiteam)
  • [NT] Unchecked Buffer in Network Share Provider Can Lead to Denial of Service
    ... SMB (Server Message Block) is the protocol Microsoft uses to share files, ... The attacker could use both a user account and anonymous access to ... What's the scope of the vulnerability? ...
    (Securiteam)
  • RE: Private addresses on public network
    ... anybody accesses those computers from an external network," -- even when the ... JavaScript delivered to the client that causes the client to retrieve ... the attacker, the request results in another JavaScript response that tells ... Moving beyond a single server ...
    (Security-Basics)
  • Re: Appeal for Help. NOT Code Red But Is It?
    ... our server immediately responds back to the prober ... What is happening is that the IDS is becomming confused about who the ... each worm that is still on its way from the attacker. ... > and outbound port was 2913. ...
    (Incidents)