Re: WFTPD "Pro" 3.0 R4 Buffer Overflow

From: Alun Jones (alunat_private)
Date: Mon Apr 23 2001 - 12:44:55 PDT

Next message: FreeBSD Security Advisories: "FreeBSD Security Advisory FreeBSD-SA-01:35.licq"

Previous message: Stefano Chiccarelli: "ALCATEL Speed Touch PRO port redirect exploit"
In reply to: Len Budney: "WFTPD "Pro" 3.0 R4 Buffer Overflow"
Next in thread: Alun Jones: "GetFullPathName overflow - was 'Re: WFTPD "Pro" 3.0 R4 Buffer Overflow'"
Reply: Alun Jones: "GetFullPathName overflow - was 'Re: WFTPD "Pro" 3.0 R4 Buffer Overflow'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 03:20 PM 4/22/2001, Len Budney wrote:
>WFTP is the Win/NT FTP server by Alun Jones

Incorrect.  WFTP was a short-lived FTP _client_, by someone else
entirely.  _WFTPD_ is the Windows (all versions) FTP server by Texas
Imperial Software.

>The latest version of WFTPD is vulnerable to a buffer overflow in the
>RETR and CWD commands. The overflow can be used to completely disable
>the FTP server, and can probably be exploited to run arbitrary code
>on the server host.

Again, incorrect.  The buffer overflow claimed here, and its accompanying
"exploit" code posted by Mr Budney, are not effective against WFTPD or
WFTPD Pro in any form.  A normal FTP error response is given, and the
server continues in its operation.  Needless to say, anyone who, like Mr
Budney, is unwilling to take the word of a vendor, is welcome to download
and try our software against this reported vulnerability.  We would welcome
any corrections.

>This problem was already reported for version 3.0 R1 on March 3, 2001
>[1], and the author claimed that he had "fixed" the overflow. What he
>apparently did was make the buffers bigger; now instead of ~500 characters
>overflowing the buffer, it takes ~32K instead.

Again, incorrect.  The author _did_ fix the overflow, and what the author
_actually_ did, rather than any surmise in Mr Budney's mind, was to check
the size of input string against local buffers, and either dynamically
re-size the buffers, trim the string, or ignore the command
altogether.  While no author can claim that his code is entirely free from
bugs, _this_ vulnerability is not an issue with current versions of WFTPD
and WFTPD Pro.  Particularly, a CWD or RETR command with 32k of argument
does _not_ cause WFTPD or WFTPD Pro to crash, hang, or otherwise
misbehave.  I have myself tested this against a command line with a million
characters without any apparent adverse effects.

Rather ironically, given ongoing discussion on vendor notification in
comp.security.unix, Mr Budney could have saved himself the embarrassment of
having filed such a poorly-researched bug report had he contacted the
vendors of WFTPD before posting to Bugtraq.

Alun Jones
President, Texas Imperial Software

--
Texas Imperial Software   | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place   | http://www.wftpd.com or email alunat_private
Cedar Park TX 78613-1419  | VISA/MC accepted.  NT-based sites, be sure to
Fax/Voice +1(512)378-3246 | read details of WFTPD Pro for NT.

Next message: FreeBSD Security Advisories: "FreeBSD Security Advisory FreeBSD-SA-01:35.licq"
Previous message: Stefano Chiccarelli: "ALCATEL Speed Touch PRO port redirect exploit"
In reply to: Len Budney: "WFTPD "Pro" 3.0 R4 Buffer Overflow"
Next in thread: Alun Jones: "GetFullPathName overflow - was 'Re: WFTPD "Pro" 3.0 R4 Buffer Overflow'"
Reply: Alun Jones: "GetFullPathName overflow - was 'Re: WFTPD "Pro" 3.0 R4 Buffer Overflow'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Apr 24 2001 - 12:37:42 PDT