Date: Fri, 26 Jan 2007 23:55:08 +0100
From: "Michal Bucko" <michal.bucko@hack.pl.>
To: [email protected]Subject: WS_FTP 2007 Professional SCP handling format string vulnerability
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-2"
Content-Transfer-Encoding: 8bit
X-Mailer: home.pl my.webmail
X-Priority: 3
X-Virus-Scanned: antivirus-gw at tyumen.ru
Synopsis: WS_FTP 2007 Professional SCP handling format string vulnerability
Product: WS_FTP 2007 Professional
Vendor: Ipswitch
I. Background
"[..]Transfer files anywhere, anytime, with complete security.
* Lightning fast transfer speeds
* Industry leading security
* Time saving features include schedule, backup, and email
notifications[..]"
II. Problem Description
Remote code execution is possible.
III. Details
SCP handling module is vulnerable to format string vulnerability.
Opening a specially crafted SCP file with WS_FTP 2007 script handler
might lead to arbitrary code execution. The specially crafted file
uses the WS_FTP script command "SHELL" and executes the file with
the specially crafted name. The file is access using "file://".
Kind regards,
Michal Bucko (sapheal)
