[VulnWatch] [immune advisory] Mulitple vulnerabilities found in BisonFTP

From: Immune Advisory (ja@immune.dk)
Date: 02/17/03

  • Next message: NGSSoftware Insight Security Research: "[VulnWatch] Lotus Domino Web Server Host/Location Buffer Overflow Vulnerability (#NISR17022003a)"
    Date: Mon, 17 Feb 2003 13:16:17 +0100
    From: Immune Advisory <ja@immune.dk>
    To: bugs@securitytracker.com, vulnwatch@vulnwatch.org, news@securiteam.com, vuln@secunia.com, bugtraq@securityfocus.org

    [immune advisory] Mulitple vulnerabilities found in BisonFTP
    BisonFTP is a FTP daemon used on Microsoft Windows 9x/NT systems.

    -[ DESCRIPTION ]----------------------------------------------------------------
    I) BisonFTP is vulnerable to a DoS attack by sending ftp commands with big
        data. By sending the ftp command ls or cwd with 4300 bytes or more,
        BisonFTP will start 100% CPU usage until the socket is closed by the client.

    II) It's possible to trick BisonFTP into revealing confidiential information
        about files outside ftp root.

        ftp> ls @../
        227 Entering PASV Mode (10,10,10,10,4,126)
        150 Directory List Follows
        -rwxrwxrwx 1 user group 739577 Feb 05 2002 BisonFTP42.exe
        226 Listing complete.
        ftp> mget @../Biso
        local: BisonFTP42.exe remote: BisonFTP42.exe
        227 Entering PASV Mode (10,10,10,10,4,128)
        550 File does not exist

        % Note that BisonFTP42.exe is NOT located in ftp root.

    -[ AFFECTED VERSIONS ]----------------------------------------------------------
    BisonFTP v4r2.
    * Earlier versions are not tested.

    -[ SOLUTION/WORKAROUND ]--------------------------------------------------------
    It's not possible to get in contact with the people at http://www.bisonftp.com
    anymore. I guess a new version will never be released.

    Workaround, since there might not be a new version you probaly better to
    install another FTP daemon.

    -[ CREDIT ]---------------------------------------------------------------------
    Bugs found: 15/jan 2003, by Jimmi Andersen
    Vendor contacted: 11/feb 2003
    Made public: 17/feb 2003
    http://www.immune.dk | Immune - Angreb og forsvar af systemer