Synopsis: Ipswitch WS_FTP Server 5.04 multiple arbitrary code execution 
vulnerabilities

Michal Bucko (sapheal), HACKPL.


I. BACKGROUND
"[..]WS_FTP Server is commonly used for setting up an FTP server that 
allows
users to login, download and upload files.[..]", note from Ipswitch web 
site.

II. DESCRIPTION
     
The first Vulnerability lies in iFTPAddU file, which is a part of the 
WS_FTP Server
and allows adding a new user. The iFTPAddU user-adding function cannot 
handle longer
than acceptable strings (it informs that the provided string is too long 
but fails 
to react in an appropriate way). The second vulnerability lies in iFTPAddH, 
which is 
also the part of WS_FTP Server. It is similar to the mentioned above. The 
third vulnerability lies in a edition module. There are local hostnames 
that can be added using iFTPAddH but the WS_FTP Server user cannot modify 
them or delete as the application fails to perform adequate bounds-checks 
on user-supplied input.

Morever, Ipswitch Notification Server might also be vulnerable to remote 
arbitrary code execution but, still, I haven't proved that yet. 



III. IMPACT

Successful exploitation of the vulnerability allows the
attacker to run arbitrary code in context of current user.