Bugtraq mailing list archives

Re: WFTPD v2.40 FTPServer remotely exploitable buffer overflow vulnerability

From: core.lists.bugtraq () CORE-SDI COM (iarce)
Date: Thu, 4 Nov 1999 16:56:14 -0300


Alun Jones wrote:

In response to Luck Martins' report of a buffer overflow in
WFTPD 2.40 and 2.34, we can confirm that this error does
exist.  Our initial tests suggest that it is more of


i guess we will have to wait for the 'final tests' then...


a 'denial-of-service' nature, rather than an exploit
allowing an attacker to load their own code into memory -
the access that generates the fault is overwriting a single
null byte into heap space, rather than stack space.


This is incorrect, asolino () core-sdi com wrote
an exploit for 2.34 that overwrites the stack and
provides a remote shell with the only constraint of
having ftp access on the vulnerable box.
It uses the MKD overflow and exploits WFTPD on
winNT 4.0 SP[3-4], win95 and win98.
The exploit will be posted to bugtraq by him in a few
minutes.

So the above is obviously:
 a) a flawed attempt to minimize the impact of the hole
     based on marketroid strategies related to the term
     'damage control'
 b) a technical mistake made in the rush of checking
     the existence or note of the hole.

I'd be very happy to think option b) is what happened,
i wonder how many tests are needed when you have
the source code of the buggy program tho.
I dont mean to be picky but i've seen a) happend a lot
more than b)


We've been working on this problem over the weekend,
coinciding as it has with our intent to release a new
version, 2.41, early this week.  We are completing
regression testing and beta testing and will be releasing
the new version later today.

Alun Jones
President, Texas Imperial Software.


Alberto SoliÃ±o, the person at CORE that wrote the exploit,
also identified another remotely exploitable buffer overflow
that does not require ftp access. since your next release will
attempt to cover the security holes found it would be good
to also fix this, you may contact asolino () core-sdi com for
the details.

-ivan

-------------------------------------------------------------------
Ivan Arce
Presidente
CORE SDI S.A.
Buenos Aires, Argentina
http://www.core-sdi.com
TE: +54-11-4331-5402
-------------------------------------------------------------------

--- For a personal reply use iarce () core-sdi com

Current thread:

Re: WFTPD v2.40 FTPServer remotely exploitable buffer overflow vulnerability Alun Jones (Nov 02)
- Re: WFTPD v2.40 FTPServer remotely exploitable buffer overflow vulnerability iarce (Nov 04)
- Re: WFTPD v2.40 FTPServer remotely exploitable buffer overflow vulnerability Alberto Soliño (Nov 04)
- Palm Hotsync vulnerable to DoS attack Aviram Jenik (Nov 04)
- RealNetworks RealServer G2 buffer overflow - WORKAROUND (fwd) ah1 () SECURITYFOCUS COM (Nov 04)
- Microsoft Security Bulletin (MS99-047) Aleph One (Nov 04)
- Re-release of Microsoft Security Bulletin MS99-042 Aleph One (Nov 04)