At 02:44 PM 4/23/2001, Alun Jones wrote: >>The latest version of WFTPD is vulnerable to a buffer overflow in the >>RETR and CWD commands. The overflow can be used to completely disable >>the FTP server, and can probably be exploited to run arbitrary code >>on the server host. > >Again, incorrect. The buffer overflow claimed here, and its accompanying >"exploit" code posted by Mr Budney, are not effective against WFTPD or >WFTPD Pro in any form. A normal FTP error response is given, and the >server continues in its operation. Needless to say, anyone who, like Mr >Budney, is unwilling to take the word of a vendor, is welcome to download >and try our software against this reported vulnerability. We would welcome >any corrections. Further analysis of reports from a customer's report of similar behaviour as this suggests that the problem discovered by Mr Budney is not caused by WFTPD Pro, but is an unchecked buffer in the Windows NT 4.0 API function "GetFullPathName". Windows 2000 is clearly immune - and had Mr Bundey's original post included details of the OS he was running, we could have found the real culprit far quicker. Needless to say, while the bug appears to be in the operating system itself, it's clear that bracketing the call to GetFullPathName with code designed to prevent the bug from appearing is in order. Once we are sure of the full scope of this bug, we shall be releasing a workaround for it, and reporting the full details to this list - we can be sure that other programs call GetFullPathName, and some may do so in ways that can trigger this bug. As buffer overflows so often occur in places other than where they appear, it's likely that until we get down to a small piece of code that clearly shows the problem, we can't guarantee that this is the end of our search. It is still possible, of course, that something else is responsible for memory corruption that causes this overflow. This posting, while somewhat lacking in hard, provable, information, is in response to several phone calls we have received today regarding this report. Alun. ~~~~ -- Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at 1602 Harvest Moon Place | http://www.wftpd.com or email alunat_private Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to Fax/Voice +1(512)378-3246 | read details of WFTPD Pro for NT.
This archive was generated by hypermail 2b30 : Tue Apr 24 2001 - 20:41:05 PDT