WFTP is the Win/NT FTP server by Alun Jones, "an author acknowledged as an expert in FTP and TCP/IP". This advisory pertains to "Professional" version 3.00 R4, which appears to be the current version. It can be downloaded from the author's site at <http://www.wftpd.com/>. WFTPD is released as shareware, and costs $120. The latest version of WFTPD is vulnerable to a buffer overflow in the RETR and CWD commands. The overflow can be used to completely disable the FTP server, and can probably be exploited to run arbitrary code on the server host. This problem was already reported for version 3.0 R1 on March 3, 2001 [1], and the author claimed that he had "fixed" the overflow. What he apparently did was make the buffers bigger; now instead of ~500 characters overflowing the buffer, it takes ~32K instead. Similar buffer overflows were reported on September 5, 2000 for version 2.41 RC12 [2], for version 2.40 on October 28, 1999 [3]. The exploit is essentially unchanged from the one posted a month ago; since <se00020at_private> Windows, version, attached is a UNIX version. An root exploit can probably be adapted from Alberto Solino's code [4]. Len Budney References: [1] http://www.securityfocus.com/templates/archive.pike?list=1&mid=166467 [2] http://www.securityfocus.com/templates/archive.pike?list=1&mid=71096 [3] http://www.securityfocus.com/templates/archive.pike?list=1&mid=32397 [4] http://oliver.efri.hr/~crv/security/bugs/Others/wftpd3.html -- Frugal Tip #40: Instead of commuting to work every day, consider tending to your job duties by mental telepathy.
This archive was generated by hypermail 2b30 : Mon Apr 23 2001 - 09:54:58 PDT