Bugtraq mailing list archives

Re: ncftp 2.4.3 bug

From: mgleason () NCFTP COM (Mike Gleason)
Date: Mon, 22 Jun 1998 13:11:04 -0500


At 09:57 AM 6/22/98 -0500, Shaw Terwilliger <twig () babba advancenet net> wrote:

I hope you sent this to Mike Gleason before BugTraq...


Of course he didn't.  It wouldn't do much good if I could post an official
patch before there was widespread exploitation of the bug.  After all, the
more damage the bug causes, the more prestige he had to gain at my expense.
 However, I do subscribe to this list, and had been working on this problem
(see below).

you're not helping
anyone by excluding the author from your audience.  How do you think bugs
are going to get fixed if you never tell the author [...] ?


Agreed.  This is irresponsible and inexcusable behavior, especially
considering my e-mail address is displayed every single time you run the
program.  But it'll keep happening too, as long as these self-appointed
security experts exist with their own agendas.  Michael at Cygnus
experienced this problem with SN not too long ago, and of course I did as
well a few months ago.

[...] Paul Boehm <paul () BOEHM ORG> wrote:

i think i've found a bug in ncftp 2.4.3 (latest stable release)...
if you connect to a ftp server that responds with something like the
shit below ncftp2.4.3 segfaults. i think this is exploitable,
but had no time/motivation to look further into it.

every reply that looks like this works:
331 a
230 b
c[putting here some exploit code may work]

PS: i have no clue why this crashes ncftp... i haven't looked through
    ncftp's source

but maybe someone else will.


Did you ever think that perhaps the author would?

He didn't seem to have enough time to make a cursory investigation to why
this happens or at least report it to me, but oddly he had plenty of time
to post to this list about it.  At least the last guy spent enough time to
write an exploit to prove in fact that it was a bug and needed a fix ASAP.

As for this particular bug, it crashes because ncftp 2.x was trying to copy
from a NULL pointer.  So, no buffer exploit.  Version 3 (still beta)
handles it just fine.  The official gospel is to upgrade to version 3,
since the bug doesn't occur naturally in the wild.

BTW, Thanks Shaw for making sure I knew about it.  Luckily there are still
more responsible Netizens out there than not.

Current thread:

ncftp 2.4.3 bug Paul Boehm (Jun 20)
- <Possible follow-ups>
- Re: ncftp 2.4.3 bug Mike Gleason (Jun 22)
  - Re: ncftp 2.4.3 bug Paul Boehm (Jun 22)
  - Re: ncftp 2.4.3 bug Liviu Daia (Jun 23)
  - textcounter.pl SECURITY HOLE Doru Petrescu (Jun 23)
    - Re: textcounter.pl SECURITY HOLE Rich Lafferty (Jun 24)
    - Yipes named attack Anonymous (Jun 24)
    - security hole in mailx Alvaro Martinez Echevarria (Jun 24)
    - Re: security hole in mailx gold (Jun 25)
    - Re: security hole in mailx Casper Dik (Jun 25)
    - Bug is sudo? Rhodie (Jun 25)
    - Re: Bug is sudo? Warner Losh (Jun 26)

(Thread continues...)