[NEWS] WS_FTP Pro ASCII Directory Transfer Buffer Overflow

• Previous message: SecuriTeam: "[NEWS] VMWare not the Perfect Sandbox"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 16 Mar 2004 12:57:14 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  WS_FTP Pro ASCII Directory Transfer Buffer Overflow
------------------------------------------------------------------------

SUMMARY

 <http://www.ipswitch.com/products/WS_FTP/index.html> WS_FTP Pro is "the
market leader in Windows-based FTP (file transfer protocol) client
software". WS_FTP Pro suffers a buffer over-run when ASCII mode directory
data is passed to the client from the server, and this data exceeds 260
bytes without a terminating CR/LF.

DETAILS

Vulnerable Systems:
 * WS_FTP Pro version 8.02 and prior

Immune Systems:
 * WS_FTP Pro version 8.03 or newer

The WS_FTP Pro can be caused to crash by a malicious server, if that
server sends an ASCII mode directory data which exceeds 260 bytes without
being terminated by a CR/LF. The application will crash with an error
stating "instruction at 0xNNNNNNNN has addressed memory at ..." where
0xNNNNNNNN is a value in the overflowed buffer; suggesting that it is
possible to cause WS_FTP Pro to continue execution at another location in
memory - arbitrary code execution.

This problem can be demonstrated by creation of a long filename or
directory name (250 bytes or more) in the ftp directory on the server,
connecting to it and viewing the directory listing.

ADDITIONAL INFORMATION

The information has been provided by <mailto:john@interteq.net> John
Layman.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NEWS] VMWare not the Perfect Sandbox"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]