WS_FTP 2007 Professional SCP handling format string vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: WS_FTP 2007 Professional SCP handling format string vulnerability
From: "Michal Bucko" <michal.bucko@xxxxxxx>
Date: Fri, 26 Jan 2007 23:55:08 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Synopsis: WS_FTP 2007 Professional SCP handling format string vulnerability
Product: WS_FTP 2007 Professional
Vendor: Ipswitch
 
 
 
I. Background
 
 
 
"[..]Transfer files anywhere, anytime, with complete security.
 
    * Lightning fast transfer speeds
    * Industry leading security
    * Time saving features include schedule, backup, and email 
notifications[..]"
 
 
 
II. Problem Description
Remote code execution is possible.
 
III. Details
SCP handling module is vulnerable to format string vulnerability.
Opening a specially crafted SCP file with WS_FTP 2007 script handler
might lead to arbitrary code execution. The specially crafted file 
uses the WS_FTP script command "SHELL" and executes the file with
the specially crafted name. The file is access using "file://".
 
 
 

Kind regards,
 
Michal Bucko (sapheal)

Prev by Date: Dexia website security alert
Next by Date: Re: [OPENADS-SA-2007-002] Max Media Manager v0.1.29 and v0.3.30 vulnerability fixed
Previous by thread: Re: Dexia website security alert
Next by thread: [ MDKSA-2007:029 ] - Updated libsoup packages fix DoS vulnerability
Index(es):
- Date
- Thread