Bugtraq mailing list archives
Re: ncftp 2.4.3 bug
From: mgleason () NCFTP COM (Mike Gleason)
Date: Mon, 22 Jun 1998 13:11:04 -0500
At 09:57 AM 6/22/98 -0500, Shaw Terwilliger <twig () babba advancenet net> wrote:
I hope you sent this to Mike Gleason before BugTraq...
Of course he didn't. It wouldn't do much good if I could post an official patch before there was widespread exploitation of the bug. After all, the more damage the bug causes, the more prestige he had to gain at my expense. However, I do subscribe to this list, and had been working on this problem (see below).
you're not helping anyone by excluding the author from your audience. How do you think bugs are going to get fixed if you never tell the author [...] ?
Agreed. This is irresponsible and inexcusable behavior, especially considering my e-mail address is displayed every single time you run the program. But it'll keep happening too, as long as these self-appointed security experts exist with their own agendas. Michael at Cygnus experienced this problem with SN not too long ago, and of course I did as well a few months ago.
[...] Paul Boehm <paul () BOEHM ORG> wrote:i think i've found a bug in ncftp 2.4.3 (latest stable release)... if you connect to a ftp server that responds with something like the shit below ncftp2.4.3 segfaults. i think this is exploitable, but had no time/motivation to look further into it.
every reply that looks like this works: 331 a 230 b c[putting here some exploit code may work]
PS: i have no clue why this crashes ncftp... i haven't looked through ncftp's source
but maybe someone else will.
Did you ever think that perhaps the author would? He didn't seem to have enough time to make a cursory investigation to why this happens or at least report it to me, but oddly he had plenty of time to post to this list about it. At least the last guy spent enough time to write an exploit to prove in fact that it was a bug and needed a fix ASAP. As for this particular bug, it crashes because ncftp 2.x was trying to copy from a NULL pointer. So, no buffer exploit. Version 3 (still beta) handles it just fine. The official gospel is to upgrade to version 3, since the bug doesn't occur naturally in the wild. BTW, Thanks Shaw for making sure I knew about it. Luckily there are still more responsible Netizens out there than not.
Current thread:
- ncftp 2.4.3 bug Paul Boehm (Jun 20)
- <Possible follow-ups>
- Re: ncftp 2.4.3 bug Mike Gleason (Jun 22)
- Re: ncftp 2.4.3 bug Paul Boehm (Jun 22)
- Re: ncftp 2.4.3 bug Liviu Daia (Jun 23)
- textcounter.pl SECURITY HOLE Doru Petrescu (Jun 23)
- Re: textcounter.pl SECURITY HOLE Rich Lafferty (Jun 24)
- Yipes named attack Anonymous (Jun 24)
- security hole in mailx Alvaro Martinez Echevarria (Jun 24)
- Re: security hole in mailx gold (Jun 25)
- Re: security hole in mailx Casper Dik (Jun 25)
- Bug is sudo? Rhodie (Jun 25)
- Re: Bug is sudo? Warner Losh (Jun 26)