Ipswitch WS_FTP Server Stack Overflow Vulnerability

Attack ID:	CPAI-2004-12

Publish Date:

Category:	Ipswitch WS_FTP Server Stack Overflow Vulnerability

Vulnerable Systems:	Ipswitch WS_FTP Server 4.0

Source:	Hugh Mann

Description:	A buffer overflow vulnerability was discovered in the Ipswitch WS_FTP that allows a malicious user to execute arbitrary code by using the FTP Server user privileges.

Severity:

Details:	Several buffer overrun vulnerabilities have been detected in IPswitch WS-FTP Server. By sending specially crafted Server commands (REST, SITE) containing over-sized parameters, a malicious user may cause a memory buffer overrun that may lead to arbitrary code execution with WS_FTP user privileges.

Attack Detection:	Using the SmartView Tracker, note the usage of the disallowed SITE command. A Reject log entry will be generated, with reason: command 'REST' was blocked in the information field.

Solution:	VPN-1 NG FP3 and above block the SITE command by default, if the FTP security server is turned on. The REST command should be added to the Blocked commands list. To add REST to the Blocked Commands list: In SmartDefense tab, go to Application Intelligence > FTP > FTP Security Server > Allowed FTP commands and add the 'REST' command to the Blocked commands list. To turn on the SmartDefense protection: VPN-1 NG with Application Intelligence (R54) and above: From the SmartDefense menu, select Application Intelligence > FTP > FTP Security Server. Choose whether the configuration applies to "all connections" or "resources used in the rule base". A resourced rule should be configured if the second option was selected. Install the security policy on all modules. FP3 users: From the SmartDefense menu, select FTP >FTP Security Server. Choose whether the configuration applies to "all connections" or "resources used in the rule base". A resourced rule should be configured if the second option was selected. Install the security policy on all modules.

Industry Reference:

Additional Information: