[Full-disclosure] IPSwitch WS_FTP Logging Server Remote Denial of Service -- a VDA Labs, LLC discovery

IPSwitch WS_FTP Logging Server Remote Denial of Service

Version: 7.5.29.0 (Logsrv.exe)

Overview

The WS FTP logging server is a daemon that listens on UDP port 5151 and
is shipped with WS FTP and by default is turned on and used by the local
WS FTP instance. It binds to the public IP address of the server and is
accessible externally, in part so that other WS FTP machines are able to
use it as a logging interface.

Description of Crash

WS FTP uses a binary protocol to speak to the logging daemon, and each
transmission begins with a two byte header "0xab 0xaa". If using a long
string of characters to mangle the remaining portions of the message, a
pointer operation fails at:
0x00401769

cmp word ptr [ecx], 0AAADh
jnz short loc_401787

This crashes the process. By flipping two bytes immediately after the
two primary header bytes, you are also able to control where the
dereferencing address is at the time of the crash. However, this does
not appear to allow code execution on the remote host as the address
referenced is too far away from any user supplied input.

Discovered By

Justin Seitz of VDA Labs LLC ([email protected])

Full advisory and attack code location:

http://www.vdalabs.com/resources
http://www.vdalabs.com/tools/ipswitch.html

ipswitchlogsrv-killer.py - Change the IP and PORT numbers as necessary
at the top of the file. There are two bytes that lead to different
address offsets where the pointer dereference is attempted.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/