Bugtraq mailing list archives
Re: WFTPD v2.40 FTPServer remotely exploitable buffer overflow vulnerability
From: core.lists.bugtraq () CORE-SDI COM (iarce)
Date: Thu, 4 Nov 1999 16:56:14 -0300
Alun Jones wrote:
In response to Luck Martins' report of a buffer overflow in WFTPD 2.40 and 2.34, we can confirm that this error does exist. Our initial tests suggest that it is more of
i guess we will have to wait for the 'final tests' then...
a 'denial-of-service' nature, rather than an exploit allowing an attacker to load their own code into memory - the access that generates the fault is overwriting a single null byte into heap space, rather than stack space.
This is incorrect, asolino () core-sdi com wrote an exploit for 2.34 that overwrites the stack and provides a remote shell with the only constraint of having ftp access on the vulnerable box. It uses the MKD overflow and exploits WFTPD on winNT 4.0 SP[3-4], win95 and win98. The exploit will be posted to bugtraq by him in a few minutes. So the above is obviously: a) a flawed attempt to minimize the impact of the hole based on marketroid strategies related to the term 'damage control' b) a technical mistake made in the rush of checking the existence or note of the hole. I'd be very happy to think option b) is what happened, i wonder how many tests are needed when you have the source code of the buggy program tho. I dont mean to be picky but i've seen a) happend a lot more than b)
We've been working on this problem over the weekend, coinciding as it has with our intent to release a new version, 2.41, early this week. We are completing regression testing and beta testing and will be releasing the new version later today. Alun Jones President, Texas Imperial Software.
Alberto Soliño, the person at CORE that wrote the exploit, also identified another remotely exploitable buffer overflow that does not require ftp access. since your next release will attempt to cover the security holes found it would be good to also fix this, you may contact asolino () core-sdi com for the details. -ivan ------------------------------------------------------------------- Ivan Arce Presidente CORE SDI S.A. Buenos Aires, Argentina http://www.core-sdi.com TE: +54-11-4331-5402 ------------------------------------------------------------------- --- For a personal reply use iarce () core-sdi com
Current thread:
- Re: WFTPD v2.40 FTPServer remotely exploitable buffer overflow vulnerability Alun Jones (Nov 02)
- Re: WFTPD v2.40 FTPServer remotely exploitable buffer overflow vulnerability iarce (Nov 04)
- Re: WFTPD v2.40 FTPServer remotely exploitable buffer overflow vulnerability Alberto Soliño (Nov 04)
- Palm Hotsync vulnerable to DoS attack Aviram Jenik (Nov 04)
- RealNetworks RealServer G2 buffer overflow - WORKAROUND (fwd) ah1 () SECURITYFOCUS COM (Nov 04)
- Microsoft Security Bulletin (MS99-047) Aleph One (Nov 04)
- Re-release of Microsoft Security Bulletin MS99-042 Aleph One (Nov 04)