<<< Date Index >>>     <<< Thread Index >>>

Re[2]: ws_ftp overflow (WS_FTP Pro 8.0.3 is vulnerable)



Hi all,

It have been confirmed by Oliver Schneider that "WS_FTP Pro 8.0.3 License
Version" is also vulnerable to this vulnerability.
(Thanks! Mr. Oliver ;-)


Regards,
nesumin


-----Original Message-----
From: nesumin@xxxxxxxxxxxx
Sent: Wed, 17 Mar 2004 00:02:10 +0900
To: john layman <john@xxxxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: ws_ftp overflow


> Hello, john,
> 
> It seems vendor has tried to prevent this stack-based buffer overflow in
> version 8.0.3.0 by limiting our data's size less than 0x0200 bytes.
> But the size of buffer which they have allocated to treat our data was
> 0x0100 bytes only.
> As far as I have tested on WS_FTP Pro 8.0.3.0 Evaluation Version,
> I could execute the code by exploiting this vulnerability.
> 
> Therefore it appears that this vulnerability has not been solved yet
> though I don't know whether "Non Evaluation Version" is vulnerable
> or not.
> 
> By the way, I had reported the same vulnerability of "WS_FTP Pro 7.6.2.0"
> and prior versions to Ipswitch in 2003/05/08 although I could not get a
> good response.
> 
> 
> Regards,
> nesumin
> 
> 
> -----Original Message-----
> From: john layman <john@xxxxxxxxxxxx>
> Sent: 14 Mar 2004 21:41:30 -0000
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: ws_ftp overflow
> 
> 
> > 
> > 
> > Product: WS_FTP Pro v8.02 and probably earlier versions.
> > Vendor:  Ipswitch
> > 
> > Vendor's Product Description:
> > 
> > WS_FTP Pro is the market leader in Windows-based FTP (file transfer 
> > protocol) client software. It enables users and organizations to move files 
> > between local and remote systems while enjoying the utmost in: 
> > 
> > Problem:
> > 
> > WS_FTP Pro suffers a buffer over-run when ASCII mode directory data is 
> > passed to the client from the server, and this data exceeds 260 bytes 
> > without a terminating CR/LF.  The application crashes with an error stating 
> > "instruction at 0xNNNNNNNN has addressed memory at ..." where 0xNNNNNNNN is 
> > a value in the overflowed buffer; suggesting that it is possible to cause 
> > WS_FTP Pro to continue execution at another location in memory - arbitrary 
> > code execution (?)
> > 
> > This problem can be demonstrated by creation of a long filename or 
> > directory name (250 bytes or more) in the ftp directory on the server, 
> > connecting to it and viewing the directory listing.  
> > 
> > Fix:  
> > 
> > Ipswitch was contacted about this problem, and version 8.03 appears to have 
> > solved it.  Update!