Vulnerabilities in BisonWare FTP Server 3.5

There are a few vulnerabilities in BisonWare FTP Server 3.5.

1) The server doesn't close the old socket from the last PASV command when given a new PASV command. Thus, it runs out of resources if you give lots of PASV commands in a row. Finally, you can't use the server, and it consumes lot's of memory that isn't released when the client disconnects.

2) If you log in and give the command "PORT a", and then press Enter a few thousand times in a row, the server will crash because it can't handle a non-numeric character after PORT and somehow adds all the CRLF's to the PORT command in a buffer that seems to overflow.

3) There are buffer overflows for commands that take arguments, for example LIST xxxx (1500 characters) and CWD xxx (1500 characters) will crash it. This works for the USER command too, so an attacker won't need a valid account.

4) The account passwords are stored in plaintext in the registry, at HKEY_CURRENT_USER\Software\BisonWare\BisonFTP3\Users and are also shown when you manage users in the server. They are also added to the logs when users log in, depending on how you configure logging. So don't put your logs in a directory that can be viewed by FTP users.

5) Something really dangerous is that after default installation, an anonymous user can access everything in your computer because you have to set the limitations after the installation.

© Arne Vidstrom. All rights reserved.