WS_FTP Vulnerabilities
Updated 8/15/02
CAN 2001-1021
CVE 2002-0826
Impact
A regular or anonymous FTP user could
execute arbitrary commands on the server.
Background
The File Transfer Protocol (FTP) allows a client to store
or retrieve files on a server. WS_FTP
is an FTP server which runs on Windows platforms and features
secure file transfer using encryption and flexible access
controls.
The Problem
8/15/02
CVE 2002-0826
The WS_FTP Server allows users to change their password through
the site cpwd command. The code handling the
argument supplied with this site command contains an unchecked
string copy, allowing an attacker to overwrite the return address
stored on the stack. This allows the attacker to run arbitrary
code on the system remotely, with the privileges of the WS_FTP
service, usually SYSTEM. This vulnerability affects WS_FTP
versions 3.1.1 and earlier.
The feature to allow users to change their passwords is enabled by
default, but it is possible for a WS_FTP Server administrator to
turn this functionality off.
11/8/01
The WS_FTP server is affected by a buffer overflow in the processing
of the STAT command. A remote user who logs
onto the server, either as an ordinary user or anonymously,
could execute arbitrary commands with System privileges.
WS_FTP 2.0.3 and earlier are affected.
8/7/01
CAN 2001-1021
An anonymous user could execute commands
due also to a second buffer overflow condition in the processing of
FTP commands. Only anonymous
users, not ordinary ones, are able to exploit this vulnerability.
WS_FTP servers 2.0.2 and earlier are affected by this vulnerability
if the anonymous account is enabled.
Resolution
Upgrade to
WS_FTP 3.1.3
or higher. It is recommended that you upgrade even if you disable the
feature that allows users to change their passwords.
Where can I read more about this?
The CPWD buffer overflow vulnerability was reported by
@stake.
The other two vulnerabilities were reported in Defcom Labs Advisories
2001-28 and
2001-31.