-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
@stake, Inc.
www.atstake.com
Security Advisory
Advisory Name: WS_FTP SITE CPWD Buffer Overflow vulnerability
Release Date: 08/08/2002
Application: WS_FTP SERVER 3.1.1
Platform: Windows NT/2000/XP
Severity: A buffer overflow occurs allowing the
remote execution of arbitrary code
Author: Andreas Junestam (andreas@atstake.com)
Vendor Status: Patch is released
CVE Candidate: CAN-2002-0826
Reference: www.atstake.com/research/advisories/2002/a080802-1.txt
Overview:
WS_FTP Server is a widely used FTP Server for the Microsoft
NT/2000/XP platform.
There exists a vulnerability within the software, which allows an
attacker to overwrite the return address on the stack, thus taking
control of the execution flow. This allows the attacker to run
arbitrary code on the system remotely
Detailed Description:
The WS_FTP Server allows users to change their password through
a site command, "site cpwd". The code handling the argument supplied
with this site command contains an unchecked string copy, allowing
an attacker to overwrite the return address stored on the stack.
Since the WS_FTP Server is running as a service, in most cases it will
be executing as SYSTEM.
The feature to allow user to change their passwords is enabled by
deafult, but it is possible for a WS_FTP Server administrator to turn
this functionality off.
Vendor Response:
This issue was reported to Ipswitch on July 25, 2002 and a patch was
produced short thereafter.
Recommendation:
Install the patch provided by Ipswitch:
ftp://ftp.ipswitch.com/ipswitch/product_support/WS_FTP_Server/ifs312.exe
For more info, see:
http://www.ipswitch.com/Support/WS_FTP-Server/patch-upgrades.html
Also, consider turning off all unused features and run the software
under a less privileged account.
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has
assigned the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
CAN-2002-0926 WS_FTP SITE CPWD Buffer Overflow vulnerability
@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/
@stake Advisory Archive:
http://www.atstake.com/research/advisories/
PGP Key:
http://www.atstake.com/research/pgp_key.asc
Copyright 2002 @stake, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3
iQA/AwUBPVJ5SEe9kNIfAm4yEQJ45QCg8ZQeT5YBnM+M828g4/ADvDjQhqsAoLBj
8/7ChofztBBYnruT3tu62Kgr
=WJ3k
-----END PGP SIGNATURE-----
Hash: SHA1
@stake, Inc.
www.atstake.com
Security Advisory
Advisory Name: WS_FTP SITE CPWD Buffer Overflow vulnerability
Release Date: 08/08/2002
Application: WS_FTP SERVER 3.1.1
Platform: Windows NT/2000/XP
Severity: A buffer overflow occurs allowing the
remote execution of arbitrary code
Author: Andreas Junestam (andreas@atstake.com)
Vendor Status: Patch is released
CVE Candidate: CAN-2002-0826
Reference: www.atstake.com/research/advisories/2002/a080802-1.txt
Overview:
WS_FTP Server is a widely used FTP Server for the Microsoft
NT/2000/XP platform.
There exists a vulnerability within the software, which allows an
attacker to overwrite the return address on the stack, thus taking
control of the execution flow. This allows the attacker to run
arbitrary code on the system remotely
Detailed Description:
The WS_FTP Server allows users to change their password through
a site command, "site cpwd". The code handling the argument supplied
with this site command contains an unchecked string copy, allowing
an attacker to overwrite the return address stored on the stack.
Since the WS_FTP Server is running as a service, in most cases it will
be executing as SYSTEM.
The feature to allow user to change their passwords is enabled by
deafult, but it is possible for a WS_FTP Server administrator to turn
this functionality off.
Vendor Response:
This issue was reported to Ipswitch on July 25, 2002 and a patch was
produced short thereafter.
Recommendation:
Install the patch provided by Ipswitch:
ftp://ftp.ipswitch.com/ipswitch/product_support/WS_FTP_Server/ifs312.exe
For more info, see:
http://www.ipswitch.com/Support/WS_FTP-Server/patch-upgrades.html
Also, consider turning off all unused features and run the software
under a less privileged account.
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has
assigned the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
CAN-2002-0926 WS_FTP SITE CPWD Buffer Overflow vulnerability
@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/
@stake Advisory Archive:
http://www.atstake.com/research/advisories/
PGP Key:
http://www.atstake.com/research/pgp_key.asc
Copyright 2002 @stake, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3
iQA/AwUBPVJ5SEe9kNIfAm4yEQJ45QCg8ZQeT5YBnM+M828g4/ADvDjQhqsAoLBj
8/7ChofztBBYnruT3tu62Kgr
=WJ3k
-----END PGP SIGNATURE-----