Full Disclosure mailing list archives
Re: War-ftpd bug small addition
From: "Berend-Jan Wever" <skylined () edup tudelft nl>
Date: Sat, 29 Jan 2005 01:29:56 +0100
This is (obviously) a format string vulnerability. (Un)fortunately war-ftpd.exe has it's own implementation of printf-functions that doesn't support "%n" -> No arbitrary overwrites. The formatstring and destination string are on the heap and the destination is dynamically allocated --> no buffer overflows. All in all: no code execution. Vulnerabilities: Commands such as "USER %9999999999d%9999999999d%999999999999d" will consume a lot of CPU and memory, thus causing a DoS on the system and not just War-ftpd. (Maybe Secunia want to update their rating again.) Commands such as "USER %s%s%s%s%s....%s%s" are bound to run into a dword that doesn't point to allocated memory, thus causing a DoS on War-ftpd itself. To exploit this format string vuln, the target War-ftpd.exe needs to run as a service since it resides in one of the logging functions that it only uses when running as a service. Cheers, SkyLined Berend-Jan Wever <skylined () edup tudelft nl> TTP: http://www.edup.tudelft.nl/~bjwever MSN: skylined () edup tudelft nl IRC: SkyLined in #SkyLined on EFNET PGP: key ID 0x48479882 ----- Original Message ----- From: "class 101" <class101 () hat-squad com> To: <full-disclosure () lists netsys com> Sent: Friday, January 28, 2005 18:58 Subject: [Full-disclosure] War-ftpd bug small addition To fix the buggus advisory spreaded everywhere saying that you need to be authenticated, It's false Mc.Iglo ;) USER %s*115AAAAA PASS blahblah http://secunia.com/advisories/14054/ ------------------------------------------------------------- class101 Jr. Researcher Hat-Squad.com ------------------------------------------------------------- --------------------------------------------------------------------------------
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- War-ftpd bug small addition class 101 (Jan 28)
- Re: War-ftpd bug small addition Berend-Jan Wever (Jan 29)