Re: WFTPD v2.40 FTPServer remotely exploitable buffer overflow

From: iarce (core.lists.bugtraq@CORE-SDI.COM)
Date: Thu Nov 04 1999 - 11:56:14 PST

Next message: Aviram Jenik: "Palm Hotsync vulnerable to DoS attack"

Previous message: devbugsat_private: "Re: Mac OS 9 Idle Lock Bug"
Next in thread: Alberto Soliño: "Re: WFTPD v2.40 FTPServer remotely exploitable buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Alun Jones wrote:

> In response to Luck Martins' report of a buffer overflow in
> WFTPD 2.40 and 2.34, we can confirm that this error does
> exist.  Our initial tests suggest that it is more of

i guess we will have to wait for the 'final tests' then...

>
> a 'denial-of-service' nature, rather than an exploit
> allowing an attacker to load their own code into memory -
> the access that generates the fault is overwriting a single
> null byte into heap space, rather than stack space.
>

This is incorrect, asolino@core-sdi.com wrote
an exploit for 2.34 that overwrites the stack and
provides a remote shell with the only constraint of
having ftp access on the vulnerable box.
It uses the MKD overflow and exploits WFTPD on
winNT 4.0 SP[3-4], win95 and win98.
The exploit will be posted to bugtraq by him in a few
minutes.

So the above is obviously:
 a) a flawed attempt to minimize the impact of the hole
     based on marketroid strategies related to the term
     'damage control'
 b) a technical mistake made in the rush of checking
     the existence or note of the hole.

I'd be very happy to think option b) is what happened,
i wonder how many tests are needed when you have
the source code of the buggy program tho.
I dont mean to be picky but i've seen a) happend a lot
more than b)

>
> We've been working on this problem over the weekend,
> coinciding as it has with our intent to release a new
> version, 2.41, early this week.  We are completing
> regression testing and beta testing and will be releasing
> the new version later today.
>
> Alun Jones
> President, Texas Imperial Software.

Alberto Soliño, the person at CORE that wrote the exploit,
also identified another remotely exploitable buffer overflow
that does not require ftp access. since your next release will
attempt to cover the security holes found it would be good
to also fix this, you may contact asolino@core-sdi.com for
the details.

-ivan

-------------------------------------------------------------------
Ivan Arce
Presidente
CORE SDI S.A.
Buenos Aires, Argentina
http://www.core-sdi.com
TE: +54-11-4331-5402
-------------------------------------------------------------------

--- For a personal reply use iarce@core-sdi.com

Next message: Aviram Jenik: "Palm Hotsync vulnerable to DoS attack"
Previous message: devbugsat_private: "Re: Mac OS 9 Idle Lock Bug"
Next in thread: Alberto Soliño: "Re: WFTPD v2.40 FTPServer remotely exploitable buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:09:41 PDT