Re: Ipswitch WS_FTP 2007 Professional "wsftpurl" access violation vulnerability
So it could be remotely exploitable after all. On the other hand, most people don't tell their browsers to open up a separate application to handle ftp:// links. I agree. It could be exploited in the aforementioned way(but: WS_FTP is not registered to handle FTP protocol by default). Now I am thinking of something else. Could we use a specially crafted FHF file to exploit the vulnerability? I haven't checked that yet. Michal Bucko (sapheal)
Re: Ipswitch WS_FTP 2007 Professional "wsftpurl" access violation vulnerability
On 1/14/07, 3APA3A wrote: Pretending this vulnerability IS exploitable, what is security impact from it? What can you achieve by exploiting this vulnerability you cant archive without it? This is a very relevant question, as it appears from the description that the vulnerability *is* exploitable--for instance if WS_FTP 2007 handles ftp:// URLs (in whatever browser the user is using) and the user clicks a link with a specially crafted, really long ftp:// URL (or if the user is told to paste in a ftp:// link and follows the instructions). That it is not remotely exploitable in some ways does not necessarily prevent it from being exploitable by an automatic, off-site mechanism (e.g. a link on a website) in other, more basic ways requiring simple user interaction. So it could be remotely exploitable after all. On the other hand, most people don't tell their browsers to open up a separate application to handle ftp:// links. -Eliah
Re: Ipswitch WS_FTP 2007 Professional "wsftpurl" access violation vulnerability
Dear [EMAIL PROTECTED], shp> conditions. However, as the issue involves the control that is not shp> marked safe for scripting nor for initialization, it cannot be shp> exploited remotely. Moreover, as for know I have not proved it is shp> exploitable. shp> Unhandled exception at 0x7c840a81 in wsftpurl.exe: shp> 0xC005: Access violation reading location 0x41414141. shp> In order to analyze the vulnerability one might execute shp> wsftpurl.exe with a long argument. Pretending this vulnerability IS exploitable, what is security impact from it? What can you achieve by exploiting this vulnerability you cant archive without it? -- ~/ZARAZA http://www.security.nnov.ru/ Reasoning depends upon programming, not on hardware and we are the ultimate program! (Frank Herbert).
Ipswitch WS_FTP 2007 Professional "wsftpurl" access violation vulnerability
Synopsis: Ipswitch WS_FTP 2007 Professional "wsftpurl" access violation vulnerability Product: Ipswitch WS_FTP 2007 Professional Issue and details: === The vulnerability was found in wsbho2k0.dll. Function Open ( String ) when given a long argument leads to memory corruption conditions. However, as the issue involves the control that is not marked safe for scripting nor for initialization, it cannot be exploited remotely. Moreover, as for know I have not proved it is exploitable. Unhandled exception at 0x7c840a81 in wsftpurl.exe: 0xC005: Access violation reading location 0x41414141. In order to analyze the vulnerability one might execute wsftpurl.exe with a long argument. When providing a specially crafted string: "A buffer overrun has been detected which overrun program's internal state". Additional information: == As for now I am not aware of any exploits for this issue or even proofs that it is exploitable. Kind regards, Michal Bucko (sapheal)