InterSoft's internet suite includes an FTP server which has been found to have numerous vulnerabilities. Among them: The default configuration allows read/write access to the root of the C: drive for anonymous users. This write access includes overwrite and delete. If the server is setup with 'out of the box' options, anonymous remote users have full access to the operating system files and executables. There is no administrator account, which means that any user with console access can alter the server's settings. The encryption method used on the passwords for user accounts is reported to be weak and easily broken. There are also multiple buffer overflows. Supplying over 1024-character arguments to the following commands will crash the server: dir, ls, mkdir, delete, and rmdir. Also, althouth the PASS buffer is truncated at 16 characters for users with accounts, this limit is not in place for the anonymous user (to allow for proper entry of email addresses as passwords) and a...
InterSoft's internet suite includes an FTP server which has been found to have numerous vulnerabilities. Among them: The default configuration allows read/write access to the root of the C: drive for anonymous users. This write access includes overwrite and delete. If the server is setup with 'out of the box' options, anonymous remote users have full access to the operating system files and executables. There is no administrator account, which means that any user with console access can alter the server's settings. The encryption method used on the passwords for user accounts is reported to be weak and easily broken. There are also multiple buffer overflows. Supplying over 1024-character arguments to the following commands will crash the server: dir, ls, mkdir, delete, and rmdir. Also, althouth the PASS buffer is truncated at 16 characters for users with accounts, this limit is not in place for the anonymous user (to allow for proper entry of email addresses as passwords) and a 1024-byte string 'password' will crash the server if user name 'anonymous' is supplied. It may be possible to exploit these overflows to run arbitrary code.
