On Sun, 2002-05-05 at 13:33, lion wrote: > Multiple vuln-devLocal Vulnerabilities in some FTP Client. > > > 1. Windows 2000 and other Version FTP Client Overflows and Format String Vulnerability. You might want to add another one to the list. I've encountered this during a pen-test involving a W2K sp2 client and an AIX ftp server. The story goes as follows: Use 'ftp <server>' on the W2K client to connect to an ftp server. Enter a username with more than 2048 characters. What happens is that the ftp server (AIX based in this case) echos back 'user <A x 2048> unknown'. The client apparently doesn't expect such long responses and crashes, overwriting EIP. The only exploit I could see is that such a client would connect to a rogue FTP server (maybe a DNS-poison hijacked ftp.microsoft.com, or whatever else you sniff a machine ftp'ing into frequently), and attempt to login with user anonymousat_private The rogue ftp server could just reply with ' user <NOPNOP-shellcode-here> unknown' and root the client. An exploitable bug is an exploitable bug, being server or client centric. This brings up the whole discussion about what I call 'reverse buffer overflows'. Typically listening services are checked for bo's, but not that many connection-establishing services. I vaguely recall an issue with MS Outlook Internet Email where a rogue server could crash the client by responding with unexpected buffer length to clients POP requests. Client programs, no matter how benign, need to be programmed just as safe and checked for bo's just as diligently as server/listening code. Regards, Frank
This archive was generated by hypermail 2b30 : Wed May 08 2002 - 09:58:25 PDT