CVE-1999-1171 in WS FTP Server
Summary
by MITRE
IPswitch WS_FTP allows local users to gain additional privileges and modify or add mail accounts by setting the "flags" registry key to 1920.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/25/2025
The vulnerability identified as CVE-1999-1171 affects IPswitch WS_FTP software, a widely used file transfer protocol client and server application in enterprise environments. This security flaw represents a privilege escalation vulnerability that allows local attackers to elevate their system access rights and modify critical mail account configurations within the WS_FTP system. The vulnerability specifically exploits a design weakness in how the software handles registry key permissions and access controls, creating a path for unauthorized privilege elevation that could significantly compromise system security.
The technical implementation of this vulnerability stems from improper access control mechanisms within the WS_FTP application's registry handling procedures. When local users manipulate the "flags" registry key to a specific value of 1920, they can bypass normal authentication and authorization checks that should prevent non-privileged users from accessing administrative functions. This particular registry key value acts as a trigger that unlocks elevated privileges within the software's operational context, allowing attackers to perform actions typically restricted to administrators or system-level processes. The flaw demonstrates poor input validation and insufficient privilege checking within the application's configuration management subsystem.
The operational impact of this vulnerability extends beyond simple privilege escalation, as it enables attackers to modify or add mail accounts within the WS_FTP system. This capability provides adversaries with significant control over email communications and potentially allows them to intercept, modify, or redirect sensitive information. The vulnerability affects systems where WS_FTP is installed with default configurations, particularly in enterprise environments where the software is used for file sharing and email integration. Attackers could leverage this vulnerability to establish persistent access points within networks, potentially leading to broader compromise of connected systems and data breaches.
Security practitioners should note this vulnerability aligns with CWE-269: "Improper Privilege Management" and represents a classic example of insufficient access control. The ATT&CK framework categorizes this as privilege escalation through registry modification, specifically targeting the T1068: "Local Privilege Escalation" and T1112: "Modify Registry" techniques. Organizations should immediately implement registry permissions hardening, ensure proper access controls are enforced for WS_FTP configuration files, and consider restricting local user access to registry keys that control administrative functions. The vulnerability also highlights the importance of regular security assessments and proper software patch management, as this issue was likely present in multiple versions of the WS_FTP software and could have been exploited by attackers for years without detection.