On Wed, 2003-04-30 at 03:34, aT4r InsaN3 wrote: > There is a Buffer overflow in the raw quote command in the Microsoft Windows > XP ftp.exe > > just type: > > quote AAAAAAAAA....[517 chars]...AAAAAAAAAAAA > ftp.exe will crash > > after several checks i was unable to exploit this vulnerability remotely but > maybe there are other bugs in the way that ftp.exe manages the buffer of > server replyes. Yes, they are, or at least were. A couple years ago we came across a buffer overflow in the ftp client. If you use the ftp.exe client to log into an FTP server with a user name >2048 or so, and the server is not a Microsoft FTP server (used AIX in the test), the ftp client will crash when the server echo back the long user name. (sorry, I'm pulling this from memory. I tossed my notes together with Windows a couple years ago ;) For example: C:> ftp test.host 220 test.host Name: somethingprettylongbutnottoolonghere 331 user somethingprettylongbutnottoolonghere not found C:> ftp test.host Name: somethingverylong+A * 1024 or 2048 331 user somethingverylongAAAA...(up to buffer size, then a pop up Window with the EIP error...) If you enter an invalid user name, at some point the server is gonna echo that user name back to the ftp client. If the user name is too long, the long echo will overflow the ftp client. The reason this doesn't work against a Microsoft FTP server is that the MS server will truncate long user names to prevent buffer overflows. Too bad MS didn't apply the same idea to the client. An FTP server that echos back a long user name can overflow the client. It was overwriting EIP which means that you could execute code, albeit in the context of the user executing the ftp client. Since we couldn't come up with a credible scenario to exploit this remotely, were short on time, and I myself was getting fed up with MS security anyway, this issue was filed away and forgotten. But I'm sure MS addressed this issue when they sent their programmers to security boot camp or at least when they started code reviews/audits.... Regards, Frank
This archive was generated by hypermail 2b30 : Wed May 14 2003 - 08:17:20 PDT