bugtraq () security nnov ru list issue: NcFTPd

[Mike Gleason <mgleason () ncftp com>]

> > >  (this came from a bugtraq posting by 3APA3A () SECURITY NNOV RU)
> > >
> > > On Thu, Jun 20, 2002 at 02:00:51PM +0400, 3APA3A wrote:
> > >
> > > >   3.  There  was  also  report by DocSoft <docsoft at mail.ru> on 
> > > > buffer
> > > >   overflow  in  some  older version of ncftpd on Solaris , but I was 
> > > > not
> > > >   able to reproduce it at least on demo version of ncftpd >= 2.5.0 
> > > > under
> > > >   FreeBSD,  so  it  was  bounced.  Overflow  is on FTP DELE command 
> > > > with
> > > >   buffer  >  256  bytes. Feel free to contact DocSoft if you can 
> > > > confirm
> > > >   vulnerability.


I can't read Russian, but I am guessing that DocSoft is making a similar 
incorrect conclusion to what the older versions of the Nessus scanner 
used to do.  Below is a snippet from the page 
http://hackcastle.hut.ru/p_bugs.htm, which contains some cyrillic 
characters, so it may not be legible, but:

   Бага в NcFTPd Server [author: DocSoft]
   Посмотреть
   Реализация DoS-атаки на FTP

I do see "DoS" so I assume that the DocSoft is concluding that sending a 
very long "DELE AAAA...AAA" is causing NcFTPd to exit because the 
connection is abruptly closed.  Often when a server process abruptly 
closes the connection it means that the server process has crashed, 
resulting in (a minimum) of a denial-of-service.

However, NcFTPd has code to detect clients looking for buffer overflows, 
and when it detects a client attempting one, NcFTPd forcefully 
disconnects the user.  Older versions used to simply boot them off with 
no message, but that was changed so that it sends back an FTP "550" 
response first, _then_ it disconnects them.

Long story short: sending "DELE " followed by a huge number of 
characters does not cause any version of NcFTPd Server to crash or 
overflow an internal buffer.

Mike Gleason
NcFTP Software
http://www.NcFTP.com