Next message: David Rude II: "Pirch 98 Link Handling Buffer Overflow"
>>> (this came from a bugtraq posting by 3APA3Aat_private)
>>>
>>> On Thu, Jun 20, 2002 at 02:00:51PM +0400, 3APA3A wrote:
>>>
>>>>
>>>> 3. There was also report by DocSoft <docsoft at mail.ru> on
>>>> buffer
>>>> overflow in some older version of ncftpd on Solaris , but I was
>>>> not
>>>> able to reproduce it at least on demo version of ncftpd >= 2.5.0
>>>> under
>>>> FreeBSD, so it was bounced. Overflow is on FTP DELE command
>>>> with
>>>> buffer > 256 bytes. Feel free to contact DocSoft if you can
>>>> confirm
>>>> vulnerability.
I can't read Russian, but I am guessing that DocSoft is making a similar
incorrect conclusion to what the older versions of the Nessus scanner
used to do. Below is a snippet from the page
http://hackcastle.hut.ru/p_bugs.htm, which contains some cyrillic
characters, so it may not be legible, but:
�$B'"'Q'T'Q�(B �$B'S�(B NcFTPd Server [author: DocSoft]
�$B'1'`'c'^'`'d'b'V'd'n�(B
�$B'2'V'Q']'Z'Y'Q'h'Z'q�(B DoS-�$B'Q'd'Q'\'Z�(B �$B'_'Q�(B FTP
I do see "DoS" so I assume that the DocSoft is concluding that sending a
very long "DELE AAAA...AAA" is causing NcFTPd to exit because the
connection is abruptly closed. Often when a server process abruptly
closes the connection it means that the server process has crashed,
resulting in (a minimum) of a denial-of-service.
However, NcFTPd has code to detect clients looking for buffer overflows,
and when it detects a client attempting one, NcFTPd forcefully
disconnects the user. Older versions used to simply boot them off with
no message, but that was changed so that it sends back an FTP "550"
response first, _then_ it disconnects them.
Long story short: sending "DELE " followed by a huge number of
characters does not cause any version of NcFTPd Server to crash or
overflow an internal buffer.
Mike Gleason
NcFTP Software
http://www.NcFTP.com
This archive was generated by hypermail 2b30
: Fri Jun 21 2002 - 12:13:00 PDT