WS_FTP 2007 Professional SCP handling format string vulnerability

2007-01-28T00:00:00
ID SECURITYVULNS:DOC:15885
Type securityvulns
Reporter Securityvulns
Modified 2007-01-28T00:00:00

Description

Synopsis: WS_FTP 2007 Professional SCP handling format string vulnerability Product: WS_FTP 2007 Professional Vendor: Ipswitch

I. Background

"[..]Transfer files anywhere, anytime, with complete security.

* Lightning fast transfer speeds
* Industry leading security
* Time saving features include schedule, backup, and email

notifications[..]"

II. Problem Description Remote code execution is possible.

III. Details SCP handling module is vulnerable to format string vulnerability. Opening a specially crafted SCP file with WS_FTP 2007 script handler might lead to arbitrary code execution. The specially crafted file uses the WS_FTP script command "SHELL" and executes the file with the specially crafted name. The file is access using "file://".

Kind regards,

Michal Bucko (sapheal)