Re: FTP.EXE format string vulnerability

[Jarno Huuskonen <Jarno.Huuskonen () uku fi>]

On Sun, Jun 10, ByteRage wrote:
> It probably *still* doesn't matter much, but I found
> that the linux (Redhat 6.0 / Kernel 2.4.2) ftp client
> is also vulnerable to format string vulnerabilities :

This has been on vuln-dev or bugtraq earlier.

> example :
>
> site %x
>
> NOTE : about my previous post : GET should've been a
> command to the server, like RETR or STOR... however,
> whether it's a working command or not, the format
> string bug still occurs.

This patch might help:
--- netkit-ftp-0.16/ftp/cmds.c-orig     Tue Oct  3 09:05:01 2000
+++ netkit-ftp-0.16/ftp/cmds.c  Tue Oct  3 09:04:26 2000
@@ -1663,7 +1663,7 @@
                        len += strlen(strcpy(&buf[len], argv[i]));
                }
        }
-       if (command(buf) == PRELIM) {
+       if (command("%s", buf) == PRELIM) {
                while (getreply(0) == PRELIM);
        }
 }

I think I backported the patch from netkit-ftp-0.17 or something like
that ... or just upgrade to newer netkit-ftp

-Jarno

-- 
Jarno Huuskonen - System Administrator   |  Jarno.Huuskonen () uku fi