Bugtraq mailing list archives
NcFTPd remote buffer overflow
From: sw3wn () CSOFT NET (Julien Nadeau)
Date: Tue, 23 Feb 1999 12:37:49 -0400
Proof of Concept - Security Advisory 02/23/99 http://poc.csoft.net Released by poc () csoft net sw3wn () poc csoft net --- Affected Program NcFTPd <http://www.ncftp.com> Description FTP server (commercial) Severity Theoretical root compromise, logs compromise Synopsis: NcFTPd is a commercial FTP (File Transfer Protocol) server, in the NcFTP product line. The source code is not publicly released. This was tested on Linux with libc5 (there's a glibc2 specific version available). Problem: NcFTPd's PORT parsing function has a stack buffer overflow problem, which would basically allow a user to remotely execute arbitrary code - the thing here is that the PORT parsing function seem to change characters, that are not in the range 0x30-0x39 (ASCII '0'-'9'), into 0x20 (ASCII space), hence making an exploit almost impossible (note that, if ascii 0x40 would be allowed that would be a different story =p). The program only parses for characters out of the 0-9 range in a specific area in memory (the one that contains return address heh) - the rest is kept unchanged, and you can't really go further in memory, input line size is restricted. However, since NcFTPd does not come with source code, I'm not sure. Like with most buffer overflows there are probably work-arounds to exploit it - this could have been a particulary neat exploit, since it runs as a child and one could gain access transparently without crashing the parent. The current bug is not really a problem, it can crash the child process with a segfault, the parent process receives a signal 6 (abort) and the child process stay zombie for a few seconds and a brand new one is created. A few minor DoS attacks are possible but, who cares. Oh and this could be used to not get listed in the logs too. Example: -- evil:$ nc victim ftp 220 victim NcFTPd Server (unregistered copy) ready. user anonymous 331 Guest login ok, send your complete e-mail address as password. pass some@thing 230-You are user #1 of 50 simultaneous users allowed. 230- 230 Logged in anonymously. port 00000000000000000000000000000000000000000000 (...) 501 Syntax error in parameters. evil:$ -- Status: I couldn't come up with a patch, since the source code doesn't come with NcFTPd. I contacted the authors about the bug.
Current thread:
- Re: [HERT] Advisory #002 Buffer overflow in lsof Don Lewis (Feb 18)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Vic Abell (Feb 18)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Mariusz Marcinkiewicz (Feb 18)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Robert Watson (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Lee Brotzman (Feb 22)
- NcFTPd remote buffer overflow Julien Nadeau (Feb 23)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Alan Cox (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Alex Shnitman (Feb 20)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Wichert Akkerman (Feb 21)
- Possible DOS attack in the .nu domain service Shane Wegner (Feb 20)
- Severe Security Hole in ARCserve NT agents (fwd) Weld Pond (Feb 21)
- Administrivia Aleph One (Feb 22)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Robert Watson (Feb 19)
- <Possible follow-ups>
- Re: [HERT] Advisory #002 Buffer overflow in lsof Friedrichs, Oliver (Feb 18)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Eric Stevens (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof johann sebastian bach (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof der Mouse (Feb 19)