Vulnerability Development mailing list archives
Re: [Ftp client , Format strings and SEGFAULTS]
From: KF <dotslash () snosoft com>
Date: Wed, 05 Dec 2001 14:42:09 -0500
I certainly stand corrected... I assumed that the addresses in the server response were from the client processing the %x%x's when the error was returned to the client... it was indeed sent to the server in that format and sent back the same way... [elguapo@linux elguapo]$ nc -l -p 2345 220 USER anonymous 220 SYST 220 SITE %x 500 %p%p%p%p%p .... Mean while on my other terminal. [elguapo@linux elguapo]$ ftp localhost 2345 Connected to localhost. 220 Name (localhost:elguapo): anonymous 220 Remote system type is . ftp> site %x 500 %p%p%p%p%p ^----- note that just like Michal stated the client does properly handle the response from the server. -KF chal Zalewski wrote:
On Wed, 5 Dec 2001, KF wrote:Theoretically a server could construct a malicious response to a site quote command and maybe take control of the client...So far, we've seen fault conditions while parsing user-provided input (commands). I didn't audit Linux ftp client, but I've performed several tests some time ago, and I recall it seems to handle server responses well. I didn't look too carefully, so it might be possible somewhere (handling more advanced commands like 'mget', perhaps?), but it looks good with simple activity... -- _____________________________________________________ Michal Zalewski [lcamtuf () bos bindview com] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-= http://lcamtuf.coredump.cx/photo/
Current thread:
- [Ftp client , Format strings and SEGFAULTS] KF (Dec 05)
- Re: [Ftp client , Format strings and SEGFAULTS] Michal Zalewski (Dec 05)
- Re: [Ftp client , Format strings and SEGFAULTS] KF (Dec 05)
- Re: [Ftp client , Format strings and SEGFAULTS] Michal Zalewski (Dec 05)