----- Original Message ----- From: SNS Research <vuln-devat_private> To: <BUGTRAQat_private> Sent: Friday, April 13, 2001 9:13 PM Subject: QPC FTPd Directory Traversal and BoF Vulnerabilities > Problem(s): > > Directory Traversal Vulnerability > > The ftpd daemon that ships with above mentioned packages is > vulnerable to a directory traversal problem. Adding '../' > (''s excluded) to a listing request ('ls') any user can gain > read access to other directories than his/her own. > > > Remote Buffer Overflow Vulnerability > > The ftpd daemon that ships with mentioned packages contains an > unchecked buffer in the logon function. When a username or > password of 655 bytes or more gets fed to the server the buffer > will overflow and will trigger an access violation, after which > the server dies. > Hi. Well, about traversal vulnerability you are right, the bug exist. But, ŋare you sure that exist a buffer overflow on logon secuence?. I donīt know if you tested it from a winnt box or from a win2000 box, but if you tested under winnt, using the "ftp client" of winnt, you are maybe in a mistake, I will try to explain it: FTP.EXE (winnt ftp client), have a bufferoverflow when you try to "send" a long "username" and "password" to ANY ftp server; example: if you connect to the microsoft ftpd, and send an amount of data on logon secuence, you will see as FTP.EXE produced an access violation, but is FTP.EXE, not the daemon of the ftp. So, if you try to exploit any FTPD from winnt (i donīt know if the same results can be provocated under win2000), sending a long data on logon secuence, you will recieved always an access violation, but from the ftp client not from ftp server. Sorry for my english (isnīt my first languaje). Good Luck! --=-- Crono mail: cronoat_private
This archive was generated by hypermail 2b30 : Wed Apr 18 2001 - 10:17:14 PDT