Bugtraq mailing list archives
nftp vulnerability (fwd)
From: ericw () FUTUREONE COM (Eric Wanner)
Date: Mon, 16 Nov 1998 18:02:43 -0700
This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime () docserver cac washington edu for more info. ---559023410-851401618-911263879=:29955 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: <Pine.GSO.3.96.981116175122.29955D () future futureone com> nftp is a shareware ftp program available at ftp://crydee.sai.msu.su/pub/comp/software/asv/nftp/ that is becoming more and more widely used. Cause: nftp incorrectly handles strings returned by the server. Tested: tested on version 1.40 linux-libc5 by sending 220 and 4400 X's followed by a \n (didn't work without the \n because it didn't get processed). 4400 was a random number, it has nothing to do with the exploitability of this program. Vulnerability: It appears to be an internal buffer that is being overfilled, but I do not have the source code, so I cannot tell. If it is an internal buffer, it may be possible to execute arbitrary code on the connecting computer, but they have to connect to the server, and they must be running this ftp proram. Fix: I do not have the source code so I can't create a patch =). It seems that too much trust is being put on the servers these days. I have included a sample crash. Put it in your inetd if you want to see for yourself. Creator Notified: The creator was notified shortly before sending this report. Fix available: not yet. -- Eric Wanner Head Systems Administrator FutureOne, Inc. 602-385-3379 http://home.futureone.com EfNet: holobyte Personal Email: holobyte () holobyte org ---559023410-851401618-911263879=:29955 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="sample.pl" Content-ID: <Pine.GSO.3.96.981116175119.29955B () future futureone com> Content-Description: Content-Transfer-Encoding: BASE64 IyEvdXNyL2Jpbi9wZXJsDQp1c2UgSU86OkhhbmRsZTsNCnN0ZG91dC0+YXV0 b2ZsdXNoKCk7DQpwcmludCAiMjIwICI7DQpwcmludCAiWCJ4NDQwMDsNCnBy aW50ICJcbiI7DQpzbGVlcCAxMDA7DQo= ---559023410-851401618-911263879=:29955--
Current thread:
- ISS Security Advisory: Hidden community string in SNMP X-Force (Nov 02)
- Re: ISS Security Advisory: Hidden community string in SNMP Jean Chouanard (Nov 04)
- Re: ISS Security Advisory: Hidden community string in SNMP Roland Grefer (Nov 05)
- <Possible follow-ups>
- Re: ISS Security Advisory: Hidden community string in SNMP Davin Milun (Nov 05)
- Re: ISS Security Advisory: Hidden community string in SNMP Raphael Muzzio (Nov 15)
- Re: ISS Security Advisory: Hidden community string in SNMP sugarat (Nov 15)
- Re: ISS Security Advisory: Hidden community string in SNMP Matt M. Morris (Nov 16)
- Re: ISS Security Advisory: Hidden community string in SNMP sugarat (Nov 16)
- Re: ISS Security Advisory: Hidden community string in SNMP Matt M. Morris (Nov 17)
- nftp vulnerability (fwd) Eric Wanner (Nov 16)
- ISSalert: ISS Security Update Aleph One (Nov 16)
- Re: ISS Security Advisory: Hidden community string in SNMP sugarat (Nov 15)
- Re: ISS Security Advisory: Hidden community string in SNMP Jean Chouanard (Nov 04)
- Re: ISS Security Advisory: Hidden community string in SNMP Matt M. Morris (Nov 16)
- Security Bulletins Digest (fwd) Piotr Strzy¿ewski (Nov 16)
- KDE 1.0's klock can be used to gain root priveledges HD Moore (Nov 16)
- Re: KDE 1.0's klock can be used to gain root priveledges Phillip Vandry (Nov 17)