Bugtraq mailing list archives

WS_FTP 2007 Professional SCP handling format string vulnerability

From: "Michal Bucko" <michal.bucko () hack pl>
Date: Fri, 26 Jan 2007 23:55:08 +0100

Synopsis: WS_FTP 2007 Professional SCP handling format string vulnerability
Product: WS_FTP 2007 Professional
Vendor: Ipswitch
 
 
 
I. Background
 
 
 
"[..]Transfer files anywhere, anytime, with complete security.
 
    * Lightning fast transfer speeds
    * Industry leading security
    * Time saving features include schedule, backup, and email 
notifications[..]"
 
 
 
II. Problem Description
Remote code execution is possible.
 
III. Details
SCP handling module is vulnerable to format string vulnerability.
Opening a specially crafted SCP file with WS_FTP 2007 script handler
might lead to arbitrary code execution. The specially crafted file 
uses the WS_FTP script command "SHELL" and executes the file with
the specially crafted name. The file is access using "file://".
 
 
 

Kind regards,
 
Michal Bucko (sapheal)

Current thread:

WS_FTP 2007 Professional SCP handling format string vulnerability Michal Bucko (Jan 27)