There is a Buffer overflow in the raw quote command in the Microsoft Windows XP ftp.exe just type: quote AAAAAAAAA....[517 chars]...AAAAAAAAAAAA ftp.exe will crash after several checks i was unable to exploit this vulnerability remotely but maybe there are other bugs in the way that ftp.exe manages the buffer of server replyes. An attack scenario can be the following: a Windows workstation/server that executes commands like this one: at /next:xxxxxx ftp -s:scriptfile if an attacker with axx to the system is able to modify the scriptfile he can modify the script and place an evil command Quote AAAAAA..SHELLCODE... and execute code with elevated privileges. tested in ftp.exe v 5.1.2600.1106 WINXP SP1 Spanish version fix: check file permisions with cacls. at4r [at] 3wdesign.es Security _________________________________________________________________ Melodías, logos y mil servicios para tu teléfono en MSN Móviles. http://www.msn.es/MSNMovil/
This archive was generated by hypermail 2b30 : Wed Apr 30 2003 - 09:06:48 PDT