Re[2]: ws_ftp overflow (WS_FTP Pro 8.0.3 is vulnerable)

[nesumin <nesumin () softhome net>]

Hi all,

It have been confirmed by Oliver Schneider that "WS_FTP Pro 8.0.3 License
Version" is also vulnerable to this vulnerability.
(Thanks! Mr. Oliver ;-)


Regards,
nesumin


-----Original Message-----
From: nesumin () softhome net
Sent: Wed, 17 Mar 2004 00:02:10 +0900
To: john layman <john () interteq net>, bugtraq () securityfocus com
Subject: Re: ws_ftp overflow


> Hello, john,
>
> It seems vendor has tried to prevent this stack-based buffer overflow in
> version 8.0.3.0 by limiting our data's size less than 0x0200 bytes.
> But the size of buffer which they have allocated to treat our data was
> 0x0100 bytes only.
> As far as I have tested on WS_FTP Pro 8.0.3.0 Evaluation Version,
> I could execute the code by exploiting this vulnerability.
>
> Therefore it appears that this vulnerability has not been solved yet
> though I don't know whether "Non Evaluation Version" is vulnerable
> or not.
>
> By the way, I had reported the same vulnerability of "WS_FTP Pro 7.6.2.0"
> and prior versions to Ipswitch in 2003/05/08 although I could not get a
> good response.
>
>
> Regards,
> nesumin
>
>
> -----Original Message-----
> From: john layman <john () interteq net>
> Sent: 14 Mar 2004 21:41:30 -0000
> To: bugtraq () securityfocus com
> Subject: ws_ftp overflow
>
>
> > Product: WS_FTP Pro v8.02 and probably earlier versions.
> > Vendor:  Ipswitch
> >
> > Vendor's Product Description:
> >
> > WS_FTP Pro is the market leader in Windows-based FTP (file transfer protocol) client software. It enables users and 
> > organizations to move files between local and remote systems while enjoying the utmost in: 
> >
> > Problem:
> >
> > WS_FTP Pro suffers a buffer over-run when ASCII mode directory data is passed to the client from the server, and 
> > this data exceeds 260 bytes without a terminating CR/LF.  The application crashes with an error stating 
> > "instruction at 0xNNNNNNNN has addressed memory at ..." where 0xNNNNNNNN is a value in the overflowed buffer; 
> > suggesting that it is possible to cause WS_FTP Pro to continue execution at another location in memory - arbitrary 
> > code execution (?)
> >
> > This problem can be demonstrated by creation of a long filename or directory name (250 bytes or more) in the ftp 
> > directory on the server, connecting to it and viewing the directory listing.  
> >
> > Fix:  
> >
> > Ipswitch was contacted about this problem, and version 8.03 appears to have solved it.  Update!