[Full-disclosure] IPSwitch WS_FTP Logging Server Remote Denial of Service -- a VDA Labs, LLC discovery

[Jared DeMott]

IPSwitch WS_FTP Logging Server Remote Denial of Service
------------------------------------------------
Version: 7.5.29.0 (Logsrv.exe)

Overview
--------
The WS FTP logging server is a daemon that listens on UDP port 5151 and
is shipped with WS FTP and by default is turned on and used by the local
WS FTP instance. It binds to the public IP address of the server and is
accessible externally, in part so that other WS FTP machines are able to
use it as a logging interface.

Description of Crash
--------------------
WS FTP uses a binary protocol to speak to the logging daemon, and each
transmission begins with a two byte header "0xab 0xaa". If using a long
string of characters to mangle the remaining portions of the message, a
pointer operation fails at:
0x00401769

cmp     word ptr [ecx], 0AAADh
jnz     short loc_401787

This crashes the process. By flipping two bytes immediately after the
two primary header bytes, you are also able to control where the
dereferencing address is at the time of the crash. However, this does
not appear to allow code execution on the remote host as the address
referenced is too far away from any user supplied input.

Discovered By
----------------
Justin Seitz of VDA Labs LLC (jseitz at vdalabs.com)


Full advisory and attack code location:
----------------------------------------
http://www.vdalabs.com/resources
http://www.vdalabs.com/tools/ipswitch.html

ipswitchlogsrv-killer.py - Change the IP and PORT numbers as necessary
at the top of the file. There are two bytes that lead to different
address offsets where the pointer dereference is attempted.