[immune advisory] Mulitple vulnerabilities found in BisonFTP ================================================================================ BisonFTP is a FTP daemon used on Microsoft Windows 9x/NT systems. -[ DESCRIPTION ]---------------------------------------------------------------- I) BisonFTP is vulnerable to a DoS attack by sending ftp commands with big data. By sending the ftp command ls or cwd with 4300 bytes or more, BisonFTP will start 100% CPU usage until the socket is closed by the client. II) It's possible to trick BisonFTP into revealing confidiential information about files outside ftp root. ftp> ls @../ 227 Entering PASV Mode (10,10,10,10,4,126) 150 Directory List Follows -rwxrwxrwx 1 user group 739577 Feb 05 2002 BisonFTP42.exe 226 Listing complete. ftp> mget @../Biso local: BisonFTP42.exe remote: BisonFTP42.exe 227 Entering PASV Mode (10,10,10,10,4,128) 550 File does not exist ftp> % Note that BisonFTP42.exe is NOT located in ftp root. -[ AFFECTED VERSIONS ]---------------------------------------------------------- BisonFTP v4r2. * Earlier versions are not tested. -[ SOLUTION/WORKAROUND ]-------------------------------------------------------- It's not possible to get in contact with the people at http://www.bisonftp.com anymore. I guess a new version will never be released. Workaround, since there might not be a new version you probaly better to install another FTP daemon. -[ CREDIT ]--------------------------------------------------------------------- Bugs found: 15/jan 2003, by Jimmi Andersen Vendor contacted: 11/feb 2003 Made public: 17/feb 2003 http://www.immune.dk | Immune - Angreb og forsvar af systemer