Synopsis: Ipswitch WS_FTP Server 5.04 multiple arbitrary code execution
Michal Bucko (sapheal), HACKPL.
"[..]WS_FTP Server is commonly used for setting up an FTP server that
users to login, download and upload files.[..]", note from Ipswitch web
The first Vulnerability lies in iFTPAddU file, which is a part of the
and allows adding a new user. The iFTPAddU user-adding function cannot
than acceptable strings (it informs that the provided string is too long
to react in an appropriate way). The second vulnerability lies in iFTPAddH,
also the part of WS_FTP Server. It is similar to the mentioned above. The
third vulnerability lies in a edition module. There are local hostnames
that can be added using iFTPAddH but the WS_FTP Server user cannot modify
them or delete as the application fails to perform adequate bounds-checks
on user-supplied input.
Morever, Ipswitch Notification Server might also be vulnerable to remote
arbitrary code execution but, still, I haven't proved that yet.
Successful exploitation of the vulnerability allows the
attacker to run arbitrary code in context of current user.