At 03:20 PM 4/22/2001, Len Budney wrote: >WFTP is the Win/NT FTP server by Alun Jones Incorrect. WFTP was a short-lived FTP _client_, by someone else entirely. _WFTPD_ is the Windows (all versions) FTP server by Texas Imperial Software. >The latest version of WFTPD is vulnerable to a buffer overflow in the >RETR and CWD commands. The overflow can be used to completely disable >the FTP server, and can probably be exploited to run arbitrary code >on the server host. Again, incorrect. The buffer overflow claimed here, and its accompanying "exploit" code posted by Mr Budney, are not effective against WFTPD or WFTPD Pro in any form. A normal FTP error response is given, and the server continues in its operation. Needless to say, anyone who, like Mr Budney, is unwilling to take the word of a vendor, is welcome to download and try our software against this reported vulnerability. We would welcome any corrections. >This problem was already reported for version 3.0 R1 on March 3, 2001 >[1], and the author claimed that he had "fixed" the overflow. What he >apparently did was make the buffers bigger; now instead of ~500 characters >overflowing the buffer, it takes ~32K instead. Again, incorrect. The author _did_ fix the overflow, and what the author _actually_ did, rather than any surmise in Mr Budney's mind, was to check the size of input string against local buffers, and either dynamically re-size the buffers, trim the string, or ignore the command altogether. While no author can claim that his code is entirely free from bugs, _this_ vulnerability is not an issue with current versions of WFTPD and WFTPD Pro. Particularly, a CWD or RETR command with 32k of argument does _not_ cause WFTPD or WFTPD Pro to crash, hang, or otherwise misbehave. I have myself tested this against a command line with a million characters without any apparent adverse effects. Rather ironically, given ongoing discussion on vendor notification in comp.security.unix, Mr Budney could have saved himself the embarrassment of having filed such a poorly-researched bug report had he contacted the vendors of WFTPD before posting to Bugtraq. Alun Jones President, Texas Imperial Software -- Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at 1602 Harvest Moon Place | http://www.wftpd.com or email alunat_private Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to Fax/Voice +1(512)378-3246 | read details of WFTPD Pro for NT.
This archive was generated by hypermail 2b30 : Tue Apr 24 2001 - 12:37:42 PDT