I can confirm that version 1.6* have a problem, as described in the initial report. Until now, the command parser in War FTP Daemon 1.6* has allowed commands up to 8 KB in size. To prevent this, and other buffer-overflow problems, this size is decreased to (MAX_PATH + 8), and an additional check is added that prevents any command argument to exceed MAX_PATH in length. A new version, 1.67-4 has been released with this modification. See http://war.jgaa.com/alert/ for download details. Jarle Aase > -----Original Message----- > From: Bugtraq List [mailto:BUGTRAQat_private]On Behalf Of > Toshimi Makino > Sent: Tuesday, February 01, 2000 8:59 AM > To: BUGTRAQat_private > Subject: war-ftpd 1.6x DoS > > > Hello, > > > "war-ftpd" is very popular ftp server for Windows95/98/NT. > I found DoS problem to "war-ftpd 1.6x" recently. > > > Outline: > It seems to occur because the bound check of the command of MKD/CWD > that uses it is imperfect when this problem controls the directory. > > However, could not hijack the control of EIP so as long as I test. > It is because not able to overwrite the RET address, > because it seems to be checking buffer total capacity properly > in 1.66x4 and later. > > The boundary of Access Violation breaks out among 8182 bytes > from 533 bytes neighborhood although it differs by the thread > that receives attack. > > > The version that is confirming this vulnerable point is as follows. > 1.66x4s, 1.67-3 > > > The version that this vulnerable point was not found is as follows. > 1.71-0 [...]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:11 PDT