Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Windows Net Apps :: bisonw~1.txt

BisonWare FTP Server 3.5. Vulnerabilities

Date: Mon, 17 May 1999 12:52:02 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
Subject: Vulnerabilities in BisonWare FTP Server 3.5

Arne Vidstrom submitted the following observations regarding BisonWare
FTP Server 3.5. I contacted the authors of BisonWare and gave them a
copy of Arne's message. After each of Arne's observations I include the
response from BisonWare's Nick Barnes sent back to me.

If you respond to this message, please ensure you're responding to Arne,
Nick, and/or the NTBugtraq list (as opposed to responding to me).

Russ - NTBugtraq Editor

AV=Arne Vidstrom (winnt@BAHNHOF.SE - May 8th, 1999)
NB=Nick Barnes ( - May 16th, 1999)

>Hi everybody,
>I've found a few vulnerabilities in BisonWare FTP Server 3.5 (latest
>version). Perhaps they are already know, but here they are:
>1) The server doesn't close the old socket from the last PASV command
>when given a new PASV command. Thus, it runs out of buffer space if you
>give lots of PASV commands in a row. Finally, you can't use the server,
>and it consumes lot's of memory that isn't released when the client

>1.  Fixed in release 4.1 due out in the next 10 days.

>2) If you log in and give the command "PORT a", and then press Enter
>a few thousand times in a row, the server will crash because it can't
>handle a non-numeric character after PORT and somehow adds all the
>CRLF's to the PORT command in a buffer that seems to overflow.

>2.  Fixed in release 4.1

>3) There are buffer overflows for commands that take arguments, for
>example LIST xxxx (1500 characters) and CWD xxx (1500 characters) will
>crash it. This works for the USER command too, so an attacker won't
>need a valid account to crash the server.

>3.  Fixed in release 4.1

>4) The account passwords are stored in plaintext in the registry, at
>HKEY_CURRENT_USER\Software\BisonWare\BisonFTP3\Users and are also
>shown when you manage users in the server. They are also added to the
>logs when users log in, depending on how you configure logging. So
>don't put your logs in a directory that can be viewed by FTP users. ;)

>4.  Fixed in release 4.1.  Passwords will still be stored plain within
>the registry.  The registry should only ever be available to the
>administrator, and some large corporate clients use there own software
>to build user lists.

>5) Another point is that after default installation, an anonymous user
>can access everything in your computer because you have to set the
>limitations after installation. You can't really count that as a bug I
>guess, but it's really dangerous anyway... so if you run this server,
>make sure you reconfigure it if you haven't already!!!

>5.  This isn't really a bug from our point of view.  The whole point is
>to allow FTP operation immediately after install.  This is a selling
>advantage over competitive products which require lots of set up before
>you can use them with a client such as your browser.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH