Re: Buffer overflow in Microsoft ftp.exe

From: Frank Knobbe (fknobbeat_private)
Date: Tue May 13 2003 - 22:17:25 PDT

Next message: Joel Eriksson: "Re: vulndev-1 exploit."

Previous message: andrewgat_private: "RE: Administrivia: List Announcement"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2003-04-30 at 03:34, aT4r InsaN3 wrote:
> There is a Buffer overflow in the raw quote command in the Microsoft Windows 
> XP ftp.exe
> 
> just type:
> 
> quote AAAAAAAAA....[517 chars]...AAAAAAAAAAAA
> ftp.exe will crash
> 
> after several checks i was unable to exploit this vulnerability remotely but 
> maybe there are other bugs in the way that ftp.exe manages the buffer of 
> server replyes.

Yes, they are, or at least were. A couple years ago we came across a
buffer overflow in the ftp client. If you use the ftp.exe client to log
into an FTP server with a user name >2048 or so, and the server is not a
Microsoft FTP server (used AIX in the test), the ftp client will crash
when the server echo back the long user name.

(sorry, I'm pulling this from memory. I tossed my notes together with
Windows a couple years ago ;) 

For example:
C:> ftp test.host
220 test.host
Name: somethingprettylongbutnottoolonghere
331 user somethingprettylongbutnottoolonghere not found

C:> ftp test.host
Name: somethingverylong+A * 1024 or 2048
331 user somethingverylongAAAA...(up to buffer size, then a pop up
Window with the EIP error...)

If you enter an invalid user name, at some point the server is gonna
echo that user name back to the ftp client. If the user name is too
long, the long echo will overflow the ftp client. The reason this
doesn't work against a Microsoft FTP server is that the MS server will
truncate long user names to prevent buffer overflows. Too bad MS didn't
apply the same idea to the client. An FTP server that echos back a long
user name can overflow the client. It was overwriting EIP which means
that you could execute code, albeit in the context of the user executing
the ftp client.

Since we couldn't come up with a credible scenario to exploit this
remotely, were short on time, and I myself was getting fed up with MS
security anyway, this issue was filed away and forgotten. But I'm sure
MS addressed this issue when they sent their programmers to security
boot camp or at least when they started code reviews/audits....

Regards,
Frank

application/pgp-signature attachment: This is a digitally signed message part

Next message: Joel Eriksson: "Re: vulndev-1 exploit."
Previous message: andrewgat_private: "RE: Administrivia: List Announcement"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 14 2003 - 08:17:20 PDT