Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Preemptive Protection against WinFTP Server WFTPSRV.exe LIST FTP Command Buffer Overflow

Subscribe

Check Point Reference: CPAI-2009-033
Date Published:
Severity:
Last Updated:
Source: Secunia: SA32209
Protection Provided by: VPN-1
  • NGX R65
  • NGX R62
  • NGX R61
  • NGX R60
VSX
  • NGX R65
IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
Win FTP Win FTP Server 2.3 and earlier
Vulnerability Description
A buffer overflow vulnerability was reported in WinFTP Server, a popular Windows FTP Server. The vulnerability is due to insufficient bounds checking on certain FTP service commands. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted FTP LIST service command to the target server, potentially causing arbitrary code injection and execution with the privileges of the affected process.
Vulnerability Details
The vulnerability is due to a boundary error in "WFTPSRV.exe" when handling a malformed "LIST" command. Remote attackers could exploit this vulnerability by supplying an excessively long "LIST" command to a vulnerable installation of WinFTP. Successful exploitation would cause a buffer overflow that could allow the attacker to execute arbitrary code with the privileges of the logged-in user.

Protection Overview
By enabling this protection, SmartDefense will detect and block the overly long FTP commands. SmartDefense has been preemptive against this vulnerability since December 2006. No update is required to address this vulnerability.

IPS-1 will detect and block FTP commands involving long path names. IPS-1 has been preemptive against this vulnerability since June 2003. No update is required.

To configure the defense, select your product from the list below and follow the related protection steps.

VPN-1 NGX R65 & R62

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > FTP > FTP Patterns.
2. In the FTP Patterns configuration pane, under Settings > Mode, check Active.
3. In the configuration pane, select Limit FTP Command length to, and make sure the limit value is less than or equal to 280.
4. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: FTP Patterns Protection Violation
Attack Information: FTP Command Buffer Overflow Attempt

VPN-1 NGX R61 & R60

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > FTP > FTP Patterns; The FTP Patterns window opens.
2. Select Limit FTP Command length to, and make sure the limit value is less than or equal to 280.
3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?

SmartView Tracker will log the following entries:

Attack Name: FTP Patterns Protection Violation
Attack Information: FTP Command Buffer Overflow Attempt

VPN-1 VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > FTP > FTP Patterns.
2. In the FTP Patterns configuration pane, under Settings > Mode, check Active.
3. In the configuration pane, select Limit FTP Command length to, and make sure the limit value is less than or equal to 280.
4. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: FTP Patterns Protection Violation
Attack Information: FTP Command Buffer Overflow Attempt

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Application Intelligence > FTP, and select the FTP Command Attacks protection group.
3. Click Long FTP pathname (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: FTP Commands
Description: Long FTP pathname