[NEWS] WS_FTP Pro ASCII Directory Transfer Buffer Overflow

From: SecuriTeam (support_at_securiteam.com)
Date: 03/16/04

  • Next message: SecuriTeam: "[EXPL] Remote Buffer Overflow in MDaemon (Exploit)"
    To: list@securiteam.com
    Date: 16 Mar 2004 12:57:14 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      WS_FTP Pro ASCII Directory Transfer Buffer Overflow
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.ipswitch.com/products/WS_FTP/index.html> WS_FTP Pro is "the
    market leader in Windows-based FTP (file transfer protocol) client
    software". WS_FTP Pro suffers a buffer over-run when ASCII mode directory
    data is passed to the client from the server, and this data exceeds 260
    bytes without a terminating CR/LF.

    DETAILS

    Vulnerable Systems:
     * WS_FTP Pro version 8.02 and prior

    Immune Systems:
     * WS_FTP Pro version 8.03 or newer

    The WS_FTP Pro can be caused to crash by a malicious server, if that
    server sends an ASCII mode directory data which exceeds 260 bytes without
    being terminated by a CR/LF. The application will crash with an error
    stating "instruction at 0xNNNNNNNN has addressed memory at ..." where
    0xNNNNNNNN is a value in the overflowed buffer; suggesting that it is
    possible to cause WS_FTP Pro to continue execution at another location in
    memory - arbitrary code execution.

    This problem can be demonstrated by creation of a long filename or
    directory name (250 bytes or more) in the ftp directory on the server,
    connecting to it and viewing the directory listing.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:john@interteq.net> John
    Layman.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[EXPL] Remote Buffer Overflow in MDaemon (Exploit)"

    Relevant Pages

    • [NT] Multiple Vulnerabilities in HP Web JetAdmin (Read, Write, Execute, Path Disclosure, Password De
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... HP Web JetAdmin is an enterprise management system for large amounts of HP ... The web server is a modular service ... HP Web JetAdmin uses it's own encryption. ...
      (Securiteam)
    • [NEWS] Multiple Vulnerabilities in QuickTime (PICT, AAC and URLs)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... PICT image may result in a heap buffer overflow. ... unexpected application termination or arbitrary code execution ...
      (Securiteam)
    • [NEWS] Multiple Vulnerabilities in Oracle Database (Character Conversion, Extproc, Password Disclosu
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Multiple vulnerabilities were discovered in the (Oracle database server ... password is required to exploit this vulnerability. ...
      (Securiteam)
    • [NEWS] ColdFusion MX Oversize Error Message DoS
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... ColdFusion MX "is the solution for building and deploying powerful web ... shoots up and stays there until the server completes writing the error ... a long string of data as a GET or POST request to ...
      (Securiteam)
    • [NT] F-Secure Internet Gatekeeper Content Scanning Server DoS
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... " <http://www.f-secure.com/products/anti-virus/fsigk/> F-Secure Internet ... the Content Scanner Server. ... The vendor has been contacted and confirmed the existence of the problem ...
      (Securiteam)