Title: WFTPD Path/File Mapping Buffer Overflow Vulnerability
Severity: HIGH
Description:
WFTPD is a popular FTP server developed by Texas Imperial Software for Windows systems.
It has been reported that a buffer overflow condition exists in WFTPD.
The condition is present when a user requests a 'LIST' of the current directory contents or 'LIST -d' (for a directory).
If the user-supplied path of the current directory is more than (approximately) 250 characters, a buffer overflow occurs and the server may crash. If a file exists in the dictory with a long filename, the overflow can also be triggered if the path of the current directory and the filename add up to more than 250 characters. The overrun also occurs when 'LIST -d' is issued for a directory with an oversized name.
This behaviour suggests that the overflow occurs during mapping of files and directories in the user's current directory to 'actual' files on the filesystem. Somewhere during this process, a static buffer is overrun. This is likely due to an unbounded string copy.
If this overrun occurs on the stack, it may be possible for malicious users to execute arbitrary code on the underlying host. At the very least attackers can use this vulnerability to crash WFTPD.
It should be noted that the exploitation of this vulnerability is not dependent on an existing 'large' filesystem layout. Using "....../" character sequences, it is possible for attackers to 'enter' a current working directory that has an unusually large but valid path.
ie:
CD ......................................../
^^ This will cause the FTP server to change to the directory above the current one. The path of the current directory will include all of those dots, and can thus be 'large' enough to exploit the buffer overflow vulnerability. See Bugtraq ID 2779 for more information on this behaviour.
If anonymous FTP is enabled, this vulnerability may be exploitable by attackers on the Internet without authentication.
This vulnerability was reportedly discovered on and tested on version 3.00 R5 for Windows 95/98/Me. It is believed that other versions for all platforms are affected, but this has not been confirmed.
Affected Products:
- Texas Imperial Software WFTPD 3.0.0
- Texas Imperial Software WFTPD 3.0.00R3
- Texas Imperial Software WFTPD 3.0.00R4
- Texas Imperial Software WFTPD 3.0.00R4 Pro
- Texas Imperial Software WFTPD 3.0.00R5
- Texas Imperial Software WFTPD 3.0.00R5 Pro
References:
- Texas Imperial Software: WFTPD Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
