Ipswitch WS_FTP Server 5.04 multiple arbitrary code execution vulnerabilities

Synopsis: Ipswitch WS_FTP Server 5.04 multiple arbitrary code execution
vulnerabilities

Michal Bucko (sapheal), HACKPL.

I. BACKGROUND
"[…]WS_FTP Server is commonly used for setting up an FTP server that
allows
users to login, download and upload files.[…]", note from Ipswitch web
site.

II. DESCRIPTION

The first Vulnerability lies in iFTPAddU file, which is a part of the
WS_FTP Server
and allows adding a new user. The iFTPAddU user-adding function cannot
handle longer
than acceptable strings (it informs that the provided string is too long
but fails
to react in an appropriate way). The second vulnerability lies in iFTPAddH,
which is
also the part of WS_FTP Server. It is similar to the mentioned above. The
third vulnerability lies in a edition module. There are local hostnames
that can be added using iFTPAddH but the WS_FTP Server user cannot modify
them or delete as the application fails to perform adequate bounds-checks
on user-supplied input.

Morever, Ipswitch Notification Server might also be vulnerable to remote
arbitrary code execution but, still, I haven't proved that yet.

III. IMPACT

Successful exploitation of the vulnerability allows the
attacker to run arbitrary code in context of current user.