@stake, Inc. www.atstake.com Security Advisory Advisory Name: WS_FTP SITE CPWD Buffer Overflow vulnerability Release Date: 08/08/2002 Application: WS_FTP SERVER 3.1.1 Platform: Windows NT/2000/XP Severity: A buffer overflow occurs allowing the remote execution of arbitrary code Author: Andreas Junestam (andreas@atstake.com) Vendor Status: Patch is released CVE Candidate: CAN-2002-0826 Reference: www.atstake.com/research/advisories/2002/a080802-1.txt Overview: WS_FTP Server is a widely used FTP Server for the Microsoft NT/2000/XP platform. There exists a vulnerability within the software, which allows an attacker to overwrite the return address on the stack, thus taking control of the execution flow. This allows the attacker to run arbitrary code on the system remotely Detailed Description: The WS_FTP Server allows users to change their password through a site command, "site cpwd". The code handling the argument supplied with this site command contains an unchecked string copy, allowing an attacker to overwrite the return address stored on the stack. Since the WS_FTP Server is running as a service, in most cases it will be executing as SYSTEM. The feature to allow user to change their passwords is enabled by default, but it is possible for a WS_FTP Server administrator to turn this functionality off. Vendor Response: This issue was reported to Ipswitch on July 25, 2002 and a patch was produced short thereafter. Recommendation: Install the patch provided by Ipswitch: ftp://ftp.ipswitch.com/ipswitch/product_support/WS_FTP_Server/ifs312.exe For more info, see: http://www.ipswitch.com/Support/WS_FTP-Server/patch-upgrades.html Also, consider turning off all unused features and run the software under a less privileged account. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2002-0826 WS_FTP SITE CPWD Buffer Overflow vulnerability @stake Vulnerability Reporting Policy: http://www.atstake.com/research/policy/ @stake Advisory Archive: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc Copyright 2002 @stake, Inc. All rights reserved.