Vulnerability Development mailing list archives
Re: ftp.exe buffer overflow ?
From: Egemen Tas <egement () KARYDE COM TR>
Date: Mon, 12 Feb 2001 00:53:42 -0800
This bug is different from the ones you mentioned.. This is the bug in MS FTP Client's QUOTE command. When dealing with escape characters and formatting tags like %s %d %u quote command behaves undetermined.(Because I am too lazy to dissassemble the ftp.exe , do not wait for a detailed information for this sysmptom) The errors given occurs when ftp.exe tries to output the error to the screen. Probably function like printf() or fprintf() is called and it will try to read a garbage region in the stack and leeads to a segmentation fault. In my opinion this is may be overflowable(because the error occurs in the Stack Segment!(I may be wrong) but does not pose great security risk.Because ftp.exe runs with the credidentals of currently logged on user. QUOTE %s%s%s will give an error according to # of %s 's which depends on the length of command you have entered. Also below command give strange results: QUOTE %d 500 '16807968': command not understood QUOTE %x etc. Microsoft has been informed about this situation. Regards Egemen Tas ----- Original Message ----- From: "Mike Duncan" <duncan () RANDOMTASK NET> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Sunday, February 11, 2001 10:18 AM Subject: Re: ftp.exe buffer overflow ?
I tired this on... * Win98 (4.10.1998): Invalid page fault (as described). * RedHat 7.0 NcFTP 3.0.1/448 (Library version: LibNcFTP 3.0.1): Segmentation fault. * RedHat 7.0 FTP (Linux NetKit (0.17-pre-20000412August 15, 1999)): "501 Cannot EXEC command line (error=2)." Appeared to be fixed? I know this is an old bug, but I wanted to show it still exists in some but not all apps. On Sat, 10 Feb 2001, Riley Hassell wrote:That problem was discussed a while ago with the unix/linux ftp clients.
It's
very interesting that Microsoft's ftp client has a similiar problem. ;) Possibly a format bug. --After reviewing it it looks like there is also a standard overflow. 'quote site exec <Ax1000>' overwrote the EIP =) ----- Original Message ----- From: "cyber_hunter" <cyber_hunter () LINUXBR COM BR> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Saturday, February 10, 2001 11:44 PM Subject: ftp.exe buffer overflow ?While I was reading something about wu-ftp I found an interesting
buffer
overflow on ftp.exe , first logon on any ftp server ( any ), then : quote site exec %s%s%s%s%s%s ( this will work even if server doesn't support site exec ) and : "ftp caused an invalid page fault in module MSVCRT.DLL ..." I don't know if an exploit can be made , and if this would be used for something. ps: I have not tried with any ftp client .-- ------------------------------------------ Mike Duncan security () randomtask net http://www.randomtask.net FLOD: The World's Perfect Cube Of Fat Also comes in glow-in-the-dark models. ** Don't accept any imitations. ** ------------------------------------------
Current thread:
- /usr/bin/ddate buffer overflow SosPiro (Feb 10)
- Re: /usr/bin/ddate buffer overflow Blue Boar (Feb 10)
- Re: /usr/bin/ddate buffer overflow enthh () FLASH NET (Feb 10)
- ftp.exe buffer overflow ? cyber_hunter (Feb 10)
- Re: ftp.exe buffer overflow ? Riley Hassell (Feb 10)
- Re: ftp.exe buffer overflow ? Mike Duncan (Feb 11)
- Re: ftp.exe buffer overflow ? Egemen Tas (Feb 11)
- Re: ftp.exe buffer overflow ? Perry Harrington (Feb 11)
- Re: ftp.exe buffer overflow ? Michal Zalewski (Feb 11)
- Re: ftp.exe buffer overflow ? Riley Hassell (Feb 15)
- Re: ftp.exe buffer overflow ? Michal Zalewski (Feb 15)
- Re: ftp.exe buffer overflow ? Benjamin Branch (Feb 15)
- Re: ftp.exe buffer overflow ? Bob Monkier (Feb 15)
- Re: ftp.exe buffer overflow ? Ryan Permeh (Feb 16)
- Internet explorer bug or Micromedia Flash bug ? cyber_hunter (Feb 19)
- Re: /usr/bin/ddate buffer overflow enthh () FLASH NET (Feb 10)
- Re: ftp.exe buffer overflow ? Antti Hakulinen (Feb 15)
- Re: /usr/bin/ddate buffer overflow Blue Boar (Feb 10)
- Message not available
- Re: ftp.exe buffer overflow ? Lincoln Yeoh (Feb 13)