GetFullPathName overflow - was 'Re: WFTPD "Pro" 3.0 R4 Buffer Overflow'

From: Alun Jones (alunat_private)
Date: Tue Apr 24 2001 - 15:22:46 PDT

Next message: Majid Almassari: "Re: x86 vulnerability ?"

Previous message: FreeBSD Security Advisories: "FreeBSD Security Advisory FreeBSD-SA-01:38.sudo"
In reply to: Alun Jones: "Re: WFTPD "Pro" 3.0 R4 Buffer Overflow"
Next in thread: Alun Jones: "Re: GetFullPathName overflow - was 'Re: WFTPD "Pro" 3.0 R4 Buffer Overflow'"
Reply: Alun Jones: "Re: GetFullPathName overflow - was 'Re: WFTPD "Pro" 3.0 R4 Buffer Overflow'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 02:44 PM 4/23/2001, Alun Jones wrote:
>>The latest version of WFTPD is vulnerable to a buffer overflow in the
>>RETR and CWD commands. The overflow can be used to completely disable
>>the FTP server, and can probably be exploited to run arbitrary code
>>on the server host.
>
>Again, incorrect.  The buffer overflow claimed here, and its accompanying
>"exploit" code posted by Mr Budney, are not effective against WFTPD or
>WFTPD Pro in any form.  A normal FTP error response is given, and the
>server continues in its operation.  Needless to say, anyone who, like Mr
>Budney, is unwilling to take the word of a vendor, is welcome to download
>and try our software against this reported vulnerability.  We would welcome
>any corrections.

Further analysis of reports from a customer's report of similar behaviour
as this suggests that the problem discovered by Mr Budney is not caused by
WFTPD Pro, but is an unchecked buffer in the Windows NT 4.0 API function
"GetFullPathName".  Windows 2000 is clearly immune - and had Mr Bundey's
original post included details of the OS he was running, we could have
found the real culprit far quicker.

Needless to say, while the bug appears to be in the operating system
itself, it's clear that bracketing the call to GetFullPathName with code
designed to prevent the bug from appearing is in order.  Once we are sure
of the full scope of this bug, we shall be releasing a workaround for it,
and reporting the full details to this list - we can be sure that other
programs call GetFullPathName, and some may do so in ways that can trigger
this bug.

As buffer overflows so often occur in places other than where they appear,
it's likely that until we get down to a small piece of code that clearly
shows the problem, we can't guarantee that this is the end of our
search.  It is still possible, of course, that something else is
responsible for memory corruption that causes this overflow.  This posting,
while somewhat lacking in hard, provable, information, is in response to
several phone calls we have received today regarding this report.

Alun.
~~~~

--
Texas Imperial Software   | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place   | http://www.wftpd.com or email alunat_private
Cedar Park TX 78613-1419  | VISA/MC accepted.  NT-based sites, be sure to
Fax/Voice +1(512)378-3246 | read details of WFTPD Pro for NT.

Next message: Majid Almassari: "Re: x86 vulnerability ?"
Previous message: FreeBSD Security Advisories: "FreeBSD Security Advisory FreeBSD-SA-01:38.sudo"
In reply to: Alun Jones: "Re: WFTPD "Pro" 3.0 R4 Buffer Overflow"
Next in thread: Alun Jones: "Re: GetFullPathName overflow - was 'Re: WFTPD "Pro" 3.0 R4 Buffer Overflow'"
Reply: Alun Jones: "Re: GetFullPathName overflow - was 'Re: WFTPD "Pro" 3.0 R4 Buffer Overflow'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Apr 24 2001 - 20:41:05 PDT