[NT] Mulitple Vulnerabilities Found in BisonFTP (DoS, Directory Traversal @)

From: support@securiteam.com
Date: 02/17/03

  • Next message: support@securiteam.com: "[UNIX] CGI SAPI Security Vulnerability"
    From: support@securiteam.com
    To: list@securiteam.com
    Date: 17 Feb 2003 22:29:54 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Mulitple Vulnerabilities Found in BisonFTP (DoS, Directory Traversal @)


     <http://www.bisonftp.com/> BisonFTP Server is a native Windows FTP
    Server. It offers all of the standard features other FTP Servers provide
    and includes such features as S/KEY Password, File Filtering, etc. Two
    security vulnerabilities have been found in the product allowing a remote
    attacker to cause it to no longer be able to respond to legitimate
    request, and to view files and directories that reside outside the
    bounding FTP root directory.


    Vulnerable systems:
     * BisonFTP version 4r2

    Denial of service:
    BisonFTP is vulnerable to a DoS attack by sending ftp commands with big
    data. By sending the FTP command LS or CWD with 4300 bytes or more,
    BisonFTP will start 100% CPU usage until the socket is closed by the

    Directory Traversal:
    It is possible to trick BisonFTP into revealing confidential information
    about files outside ftp root.

        ftp> ls @../
        227 Entering PASV Mode (10,10,10,10,4,126)
        150 Directory List Follows
        -rwxrwxrwx 1 user group 739577 Feb 05 2002 BisonFTP42.exe
        226 Listing complete.
        ftp> mget @../Biso
        local: BisonFTP42.exe remote: BisonFTP42.exe
        227 Entering PASV Mode (10,10,10,10,4,128)
        550 File does not exist


    The information has been provided by <mailto:ja@immune.dk> Immune


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.