From: Secunia Security Advisories (sec-advsecunia.com)
Date: Wed Mar 24 2004 - 10:33:37 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

TITLE:
WS_FTP Server Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA11206

VERIFY ADVISORY:
http://secunia.com/advisories/11206/

CRITICAL:
Less critical

IMPACT:
Privilege escalation, DoS, System access

WHERE:
From remote

SOFTWARE:
WS_FTP Server 4.x

DESCRIPTION:
Hugh Mann has reported multiple vulnerabilities in WS_FTP Server,
which can be exploited by malicious users to cause a DoS
(Denial-of-Service), gain escalated privileges, or compromise the
system.

1) Local administrative FTP users are by default the only users, who
are able to edit user-defined SITE commands to execute arbitrary
programs with SYSTEM privileges. However, it is possible for either a
malicious, local user or a remote FTP administrator to do the same.

A remote administrative FTP user can enable remote editing of
user-defined SITE commands via the "SITE SETS" FTP command and then
afterwards use the "SITE SETC" FTP command to edit a user-defined
SITE command, which allows execution of arbitrary commands with
SYSTEM privileges.

A malicious, local user without administrative FTP privileges can
also gain these by logging in through the following backdoor:

RealName: Local Session Manager
Username: XXSESS_MGRYY
Password: X#1833

2) A boundary error exists within the ALLO handler when returning
error strings to a client. The problem is that the returned error
string is a 64-bit value based on the total size of all files in the
user's directory and sub-directories.

This can be exploited to cause a buffer overflow by manipulating the
user's directory content and thereby change the returned value into a
256 byte long string.

Successful exploitation may allow execution of arbitrary code with
SYSTEM privileges but requires that the user has permissions to
upload files and an upper limit of files or total file size is
imposed.

3) A boundary error exists within the handling of the "STAT" FTP
command while downloading files. This can be exploited by issuing the
"STAT" FTP command while downloading a specially crafted file, which
was uploaded previously.

Successful exploitation may allow execution of arbitrary code with
SYSTEM privileges. However, it requires that the user has write
access to a directory and has an overly long username or has the
ability to change his username (administrative FTP user).

4) It is possible for malicious users with write access to a
directory to consume all available disk space even though limits are
imposed. This can be exploited via an extremely large value as
argument to the "REST" FTP command and then by uploading a small file
with the "STOR" FTP command.

The vulnerabilities have all been reported in version 4.0.2
(Evaluation version). However, other versions may also be affected.

SOLUTION:
Grant only trusted users access to the FTP service and system.

PROVIDED AND/OR DISCOVERED BY:
Hugh Mann

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories

----------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]