[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Critical WFTPD buffer overflow vulnerability
From:       "axl rose" <rdxaxl () hotmail ! com>
Date:       2004-02-28 21:52:33
Message-ID: BAY10-F84bD4rRHyQWw0000452d () hotmail ! com
[Download RAW message or body]


Name of Advisory: Critical WFTPD buffer overflow vulnerability
Severity:         Critical
Discoverer:       axl (rdxaxl@hotmail.com)
Released:         Today
Vendor Notified:  Today

WFTPD who? what? when?
~~~~~~~~~~~~~~~~~~~~~~
Vendor quote: "WFTPD Server has been a leading FTP server for Windows since 
it was released in 1993.   Its stability and security have long been relied 
on by technology companies, educational institutions, government 
departments, individuals and others, to provide a secure FTP site."

Tested versions
~~~~~~~~~~~~~~~
- WFTPD Pro Server 3.21 Release 1 (trial) (latest version)
- WFTPD Pro Server 3.20 Release 2 (trial)
- WFTPD Server 3.21 Release 1 (trial) (latest version)
- WFTPD Server 3.10 Release 1 (trial)

All tested versions are vulnerable. Other versions may also be vulnerable.

Overview
~~~~~~~~
There's a stack based buffer overflow vulnerability that a remote attacker 
can exploit to execute arbitrary code on the remote system running the 
vulnerable WFTPD server software. For WFTPD Pro Server, the code will 
execute as SYSTEM, and for WFTPD Server, the code will execute as the user 
who started the server.

Vulnerability details
~~~~~~~~~~~~~~~~~~~~~
The vulnerable FTP commands are LIST, NLST, and STAT. The user must be 
logged in as any user unless the Secure option in the registry is 0.

There's special code to check if the first argument's first character is 
equal to '-'. If it is, and there's a ' ' character at some later position, 
we'll execute this vulnerable code (WFTPD Pro trial v3.21.1.1). For the 
programming challenged people, I've added comments:

004034B8 MOV  EAX,[EBP+8]    ; strchr(userbuf, ' ')
004034BB SUB  EAX,ESI
004034BD DEC  EAX            ; num bytes to copy
004034BE CMP  EAX,EDI        ; (below) jump if num bytes to copy
004034C0 JLE  SHORT 004034C4 ; is <= max_len - 2
004034C2 MOV  EDI,EAX
004034C4 PUSH EDI            ; max(max_len - 2, num bytes to copy)
004034C5 INC  ESI            ; don't copy '-'
004034C6 PUSH ESI            ; &userbuf[1]
004034C7 PUSH EBX            ; &dest[1] on the stack
004034C8 CALL memcpy

Anything between the first '-' char to the first ' ' char can be copied to 
the string. This string only has room for 31 characters and a terminating 
null byte. Obviously, the programmer mistakenly used max() instead of min().

Exploit
~~~~~~~
See attached source code.

_________________________________________________________________
Store more e-mails with MSN Hotmail Extra Storage – 4 plans to choose from! 
http://click.atdmt.com/AVE/go/onm00200362ave/direct/01/

["xp_wftpd.zip" (application/x-zip-compressed)]

[prev in list] [next in list] [prev in thread] [next in thread]