COMMAND

    BisonWare FTP Server

SYSTEMS AFFECTED

    BisonWare FTP Server 3.5

PROBLEM

    Arne Vidstrom found following regarding BisonWare FTP Server  3.5.
    He found a few vulnerabilities in BisonWare FTP Server 3.5 (latest
    version).

    1) The  server doesn't  close the  old socket  from the  last PASV
       command when  given a  new PASV  command. Thus,  it runs out of
       buffer  space  if  you  give  lots  of  PASV commands in a row.
       Finally, you  can't use  the server,  and it  consumes lot's of
       memory that isn't released when the client disconnects.

    2) If you  log in and  give the command  "PORT a", and  then press
       Enter a  few thousand  times in  a row,  the server  will crash
       because it can't handle a non-numeric character after PORT  and
       somehow adds  all the  CRLF's to  the PORT  command in a buffer
       that seems to overflow.

    3) There are  buffer overflows for  commands that take  arguments,
       for  example  LIST  xxxx  (1500  characters)  and CWD xxx (1500
       characters) will  crash it.   This works  for the  USER command
       too, so  an attacker  won't need  a valid  account to crash the
       server.

    4) The account passwords are stored in plaintext in the  registry,
       at HKEY_CURRENT_USER\Software\BisonWare\BisonFTP3\Users and are
       also shown when you manage users in the server.  They are  also
       added  to  the  logs  when  users  log in, depending on how you
       configure logging.  So don't put your logs in a directory  that
       can be viewed by FTP users.

    Another point  is that  after default  installation, an  anonymous
    user can access  everything in your  computer because you  have to
    set the  limitations after  installation. You  can't really  count
    that  as  a  bug,  but  it's  really dangerous anyway... so if you
    run  this  server,  make  sure  you  reconfigure it if you haven't
    already!!!

SOLUTION

    Fixed in release 4.1.