Hi all, It have been confirmed by Oliver Schneider that "WS_FTP Pro 8.0.3 License Version" is also vulnerable to this vulnerability. (Thanks! Mr. Oliver ;-) Regards, nesumin -----Original Message----- From: nesumin@softhome.net Sent: Wed, 17 Mar 2004 00:02:10 +0900 To: john layman <john@interteq.net>, bugtraq@securityfocus.com Subject: Re: ws_ftp overflow > Hello, john, > > It seems vendor has tried to prevent this stack-based buffer overflow in > version 8.0.3.0 by limiting our data's size less than 0x0200 bytes. > But the size of buffer which they have allocated to treat our data was > 0x0100 bytes only. > As far as I have tested on WS_FTP Pro 8.0.3.0 Evaluation Version, > I could execute the code by exploiting this vulnerability. > > Therefore it appears that this vulnerability has not been solved yet > though I don't know whether "Non Evaluation Version" is vulnerable > or not. > > By the way, I had reported the same vulnerability of "WS_FTP Pro 7.6.2.0" > and prior versions to Ipswitch in 2003/05/08 although I could not get a > good response. > > > Regards, > nesumin > > > -----Original Message----- > From: john layman <john@interteq.net> > Sent: 14 Mar 2004 21:41:30 -0000 > To: bugtraq@securityfocus.com > Subject: ws_ftp overflow > > > > > > > > Product: WS_FTP Pro v8.02 and probably earlier versions. > > Vendor: Ipswitch > > > > Vendor's Product Description: > > > > WS_FTP Pro is the market leader in Windows-based FTP (file transfer protocol) client software. It enables users and organizations to move files between local and remote systems while enjoying the utmost in: > > > > Problem: > > > > WS_FTP Pro suffers a buffer over-run when ASCII mode directory data is passed to the client from the server, and this data exceeds 260 bytes without a terminating CR/LF. The application crashes with an error stating "instruction at 0xNNNNNNNN has addressed memory at ..." where 0xNNNNNNNN is a value in the overflowed buffer; suggesting that it is possible to cause WS_FTP Pro to continue execution at another location in memory - arbitrary code execution (?) > > > > This problem can be demonstrated by creation of a long filename or directory name (250 bytes or more) in the ftp directory on the server, connecting to it and viewing the directory listing. > > > > Fix: > > > > Ipswitch was contacted about this problem, and version 8.03 appears to have solved it. Update!
