bisonware.ftp.txt

`Date: Mon, 17 May 1999 12:52:02 -0400  
From: Russ <[email protected]>  
To: [email protected]  
Subject: Vulnerabilities in BisonWare FTP Server 3.5  
  
Arne Vidstrom submitted the following observations regarding BisonWare  
FTP Server 3.5. I contacted the authors of BisonWare and gave them a  
copy of Arne's message. After each of Arne's observations I include the  
response from BisonWare's Nick Barnes sent back to me.  
  
If you respond to this message, please ensure you're responding to Arne,  
Nick, and/or the NTBugtraq list (as opposed to responding to me).  
  
Cheers,  
Russ - NTBugtraq Editor  
  
AV=Arne Vidstrom ([email protected] - May 8th, 1999)  
NB=Nick Barnes ([email protected] - May 16th, 1999)  
  
AV  
>Hi everybody,  
>  
>I've found a few vulnerabilities in BisonWare FTP Server 3.5 (latest  
>version). Perhaps they are already know, but here they are:  
>  
>1) The server doesn't close the old socket from the last PASV command  
>when given a new PASV command. Thus, it runs out of buffer space if you  
>give lots of PASV commands in a row. Finally, you can't use the server,  
>and it consumes lot's of memory that isn't released when the client  
>disconnects.  
  
NB  
>1. Fixed in release 4.1 due out in the next 10 days.  
  
AV  
>2) If you log in and give the command "PORT a", and then press Enter  
>a few thousand times in a row, the server will crash because it can't  
>handle a non-numeric character after PORT and somehow adds all the  
>CRLF's to the PORT command in a buffer that seems to overflow.  
  
NB  
>2. Fixed in release 4.1  
  
AV  
>3) There are buffer overflows for commands that take arguments, for  
>example LIST xxxx (1500 characters) and CWD xxx (1500 characters) will  
>crash it. This works for the USER command too, so an attacker won't  
>need a valid account to crash the server.  
  
NB  
>3. Fixed in release 4.1  
  
AV  
>4) The account passwords are stored in plaintext in the registry, at  
>HKEY_CURRENT_USER\Software\BisonWare\BisonFTP3\Users and are also  
>shown when you manage users in the server. They are also added to the  
>logs when users log in, depending on how you configure logging. So  
>don't put your logs in a directory that can be viewed by FTP users. ;)  
  
NB  
>4. Fixed in release 4.1. Passwords will still be stored plain within  
>the registry. The registry should only ever be available to the  
>administrator, and some large corporate clients use there own software  
>to build user lists.  
  
AV  
>5) Another point is that after default installation, an anonymous user  
>can access everything in your computer because you have to set the  
>limitations after installation. You can't really count that as a bug I  
>guess, but it's really dangerous anyway... so if you run this server,  
>make sure you reconfigure it if you haven't already!!!  
  
NB  
>5. This isn't really a bug from our point of view. The whole point is  
>to allow FTP operation immediately after install. This is a selling  
>advantage over competitive products which require lots of set up before  
>you can use them with a client such as your browser.  
  
`