Re: ncftp 2.4.3 bug

From: Mike Gleason (mgleasonat_private)
Date: Mon Jun 22 1998 - 11:11:04 PDT

Next message: Courteney van den Berg: "Re: Microsoft Insecurity..."

Previous message: stealthat_private: "(no subject)"
Maybe in reply to: Paul Boehm: "ncftp 2.4.3 bug"
Next in thread: Paul Boehm: "Re: ncftp 2.4.3 bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 09:57 AM 6/22/98 -0500, Shaw Terwilliger <twigat_private> wrote:

>I hope you sent this to Mike Gleason before BugTraq...

Of course he didn't.  It wouldn't do much good if I could post an official
patch before there was widespread exploitation of the bug.  After all, the
more damage the bug causes, the more prestige he had to gain at my expense.
 However, I do subscribe to this list, and had been working on this problem
(see below).

> you're not helping
>anyone by excluding the author from your audience.  How do you think bugs
>are going to get fixed if you never tell the author [...] ?

Agreed.  This is irresponsible and inexcusable behavior, especially
considering my e-mail address is displayed every single time you run the
program.  But it'll keep happening too, as long as these self-appointed
security experts exist with their own agendas.  Michael at Cygnus
experienced this problem with SN not too long ago, and of course I did as
well a few months ago.

> [...] Paul Boehm <paulat_private> wrote:
>> i think i've found a bug in ncftp 2.4.3 (latest stable release)...
>> if you connect to a ftp server that responds with something like the
>> shit below ncftp2.4.3 segfaults. i think this is exploitable,
>> but had no time/motivation to look further into it.

>> every reply that looks like this works:
>> 331 a
>> 230 b
>> c[putting here some exploit code may work]

>> PS: i have no clue why this crashes ncftp... i haven't looked through
>>     ncftp's source

>>but maybe someone else will.

Did you ever think that perhaps the author would?

He didn't seem to have enough time to make a cursory investigation to why
this happens or at least report it to me, but oddly he had plenty of time
to post to this list about it.  At least the last guy spent enough time to
write an exploit to prove in fact that it was a bug and needed a fix ASAP.

As for this particular bug, it crashes because ncftp 2.x was trying to copy
from a NULL pointer.  So, no buffer exploit.  Version 3 (still beta)
handles it just fine.  The official gospel is to upgrade to version 3,
since the bug doesn't occur naturally in the wild.

BTW, Thanks Shaw for making sure I knew about it.  Luckily there are still
more responsible Netizens out there than not.

Next message: Courteney van den Berg: "Re: Microsoft Insecurity..."
Previous message: stealthat_private: "(no subject)"
Maybe in reply to: Paul Boehm: "ncftp 2.4.3 bug"
Next in thread: Paul Boehm: "Re: ncftp 2.4.3 bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:59:12 PDT