NcFTPd remote buffer overflow

• Previous message: Lee Brotzman: "Re: [HERT] Advisory #002 Buffer overflow in lsof"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Proof of Concept - Security Advisory                        02/23/99
http://poc.csoft.net                                     Released by
pocat_private                                    sw3wnat_private

---

Affected Program        NcFTPd <http://www.ncftp.com>
Description             FTP server (commercial)
Severity                Theoretical root compromise, logs compromise


Synopsis:

NcFTPd is a commercial FTP (File Transfer Protocol) server, in the
NcFTP product line.  The source code is not publicly released.  This
was tested on Linux with libc5 (there's a glibc2 specific version
available).

Problem:

NcFTPd's PORT parsing function has a stack buffer overflow
problem, which would basically allow a user to remotely execute
arbitrary code - the thing here is that the PORT parsing function
seem to change characters, that are not in the range 0x30-0x39
(ASCII '0'-'9'), into 0x20 (ASCII space), hence making an exploit
almost impossible (note that, if ascii 0x40 would be allowed that
would be a different story =p).

The program only parses for characters out of the 0-9 range in a
specific area in memory (the one that contains return address heh)
- the rest is kept unchanged, and you can't really go further in
memory, input line size is restricted.

However, since NcFTPd does not come with source code, I'm not sure.
Like with most buffer overflows there are probably work-arounds to
exploit it - this could have been a particulary neat exploit, since
it runs as a child and one could gain access transparently without
crashing the parent.

The current bug is not really a problem, it can crash the child process
with a segfault, the parent process receives a signal 6 (abort) and the
child process stay zombie for a few seconds and a brand new one is
created.
A few minor DoS attacks are possible but, who cares.  Oh and this could
be
used to not get listed in the logs too.

Example:

--
evil:$ nc victim ftp
220 victim NcFTPd Server (unregistered copy) ready.
user anonymous
331 Guest login ok, send your complete e-mail address as password.
pass some@thing
230-You are user #1 of 50 simultaneous users allowed.
230-
230 Logged in anonymously.
port 00000000000000000000000000000000000000000000 (...)
501 Syntax error in parameters.
evil:$
--

Status:

I couldn't come up with a patch, since the source code doesn't
come with NcFTPd.  I contacted the authors about the bug.

• Next message: Dug Song: "Re: Process table attack (from RISKS Digest)"
• Previous message: Lee Brotzman: "Re: [HERT] Advisory #002 Buffer overflow in lsof"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:37:17 PDT