Re: ws_ftp overflow
Hello, john,
It seems vendor has tried to prevent this stack-based buffer overflow in
version 8.0.3.0 by limiting our data's size less than 0x0200 bytes.
But the size of buffer which they have allocated to treat our data was
0x0100 bytes only.
As far as I have tested on WS_FTP Pro 8.0.3.0 Evaluation Version,
I could execute the code by exploiting this vulnerability.
Therefore it appears that this vulnerability has not been solved yet
though I don't know whether "Non Evaluation Version" is vulnerable
or not.
By the way, I had reported the same vulnerability of "WS_FTP Pro 7.6.2.0"
and prior versions to Ipswitch in 2003/05/08 although I could not get a
good response.
Regards,
nesumin
-----Original Message-----
From: john layman <john@xxxxxxxxxxxx>
Sent: 14 Mar 2004 21:41:30 -0000
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: ws_ftp overflow
>
>
> Product: WS_FTP Pro v8.02 and probably earlier versions.
> Vendor: Ipswitch
>
> Vendor's Product Description:
>
> WS_FTP Pro is the market leader in Windows-based FTP (file transfer protocol)
> client software. It enables users and organizations to move files between
> local and remote systems while enjoying the utmost in:
>
> Problem:
>
> WS_FTP Pro suffers a buffer over-run when ASCII mode directory data is passed
> to the client from the server, and this data exceeds 260 bytes without a
> terminating CR/LF. The application crashes with an error stating
> "instruction at 0xNNNNNNNN has addressed memory at ..." where 0xNNNNNNNN is a
> value in the overflowed buffer; suggesting that it is possible to cause
> WS_FTP Pro to continue execution at another location in memory - arbitrary
> code execution (?)
>
> This problem can be demonstrated by creation of a long filename or directory
> name (250 bytes or more) in the ftp directory on the server, connecting to it
> and viewing the directory listing.
>
> Fix:
>
> Ipswitch was contacted about this problem, and version 8.03 appears to have
> solved it. Update!