ALLO ALLO WS_FTP Server

From: Hugh Mann (hughmann_at_hotmail.com)
Date: 03/23/04

  • Next message: Hugh Mann: "Open the WS_FTP Server backdoor to SYSTEM"
    To: full-disclosure@lists.netsys.com, bugtraq@securityfocus.com
    Date: Tue, 23 Mar 2004 07:13:29 +0000
    
    
    

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Advisory Name: ALLO ALLO WS_FTP Server
    Impact : Arbitrary code execution as SYSTEM
    Discovered by: Hugh Mann hughmann@hotmail.com
    Tested progs : Ipswitch WS_FTP Server 4.0.2.EVAL
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Description
    ~~~~~~~~~~~
    A user who can upload files, and also has a max number of files limit or max
    total file size limit, can read any memory address the WS_FTP Server can
    read. With the right address, the user can cause a buffer overflow and
    execute arbitrary code as SYSTEM.

    Details
    ~~~~~~~
    There's a vulnerability in the ALLO handler when it sends an error string to
    the client. Instead of pushing an ASCIIZ string, it pushes a 64-bit value
    equal to total size of all files in user's dir and any sub-dirs. This is a
    value we can easily control if we exploit the WS_FTP Server REST
    vulnerability. If we change this value to a string of size equal to ~256
    bytes, we can overwrite the return address and execute arbitrary code as
    SYSTEM.

    Exploit
    ~~~~~~~
    See the attached source code.

    _________________________________________________________________
    Get rid of annoying pop-up ads with the new MSN Toolbar FREE!
    http://clk.atdmt.com/AVE/go/onm00200414ave/direct/01/

    
    



  • Next message: Hugh Mann: "Open the WS_FTP Server backdoor to SYSTEM"

    Relevant Pages

    • [Full-Disclosure] ALLO ALLO WS_FTP Server
      ... Advisory Name: ALLO ALLO WS_FTP Server ... Arbitrary code execution as SYSTEM ... we can overwrite the return address and execute arbitrary code as ...
      (Full-Disclosure)
    • ALLO ALLO WS_FTP Server
      ... Advisory Name: ALLO ALLO WS_FTP Server ... Arbitrary code execution as SYSTEM ... we can overwrite the return address and execute arbitrary code as ...
      (Full-Disclosure)
    • [Full-Disclosure] Re: [ GLSA 200408-04 ] PuTTY: Pre-authentication arbitrary code execution
      ... > arbitrary code on the connecting client before host key verification. ... > When connecting to a server using the SSH2 protocol an attacker is able ... does this mean that everyone on the network can execute arbitrary code ...
      (Full-Disclosure)
    • [ GLSA 200407-11 ] wv: Buffer overflow vulnerability
      ... A buffer overflow vulnerability exists in the wv library that can allow ... an attacker to execute arbitrary code with the privileges of the user ... trigger the vulnerable code and execute it's own arbitrary code. ... Security is a primary focus of Gentoo Linux and ensuring the ...
      (Bugtraq)
    • [Full-Disclosure] [ GLSA 200407-11 ] wv: Buffer overflow vulnerability
      ... A buffer overflow vulnerability exists in the wv library that can allow ... an attacker to execute arbitrary code with the privileges of the user ... trigger the vulnerable code and execute it's own arbitrary code. ... Security is a primary focus of Gentoo Linux and ensuring the ...
      (Full-Disclosure)