Re: war-ftpd 1.6x DoS

[jgaa () JGAA COM (Jarle Aase)]

I can confirm that version 1.6* have a problem, as described in the initial report.

Until now, the command parser in War FTP Daemon 1.6* has allowed commands up to 8 KB in size. To prevent this, and 
other buffer-overflow problems, this size is decreased to (MAX_PATH + 8), and an additional check is added that 
prevents any command argument to exceed MAX_PATH in length. 

A new version, 1.67-4 has been released with this modification. See http://war.jgaa.com/alert/ for download details.

Jarle Aase

> -----Original Message-----
> From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of
> Toshimi Makino
> Sent: Tuesday, February 01, 2000 8:59 AM
> To: BUGTRAQ () SECURITYFOCUS COM
> Subject: war-ftpd 1.6x DoS
>
>
> Hello,
>
>
> "war-ftpd" is very popular ftp server for Windows95/98/NT.
> I found DoS problem to "war-ftpd 1.6x" recently.
>
>
> Outline:
>   It seems to occur because the bound check of the command of MKD/CWD
>   that uses it is imperfect when this problem controls the directory.
>
>   However, could not hijack the control of EIP so as long as I test.
>   It is because not able to overwrite the RET address,
>   because it seems to be checking buffer total capacity properly
>   in 1.66x4 and later.
>
>   The boundary of Access Violation breaks out among 8182 bytes
>   from 533 bytes neighborhood although it differs by the thread
>   that receives attack.
>
>
> The version that is confirming this vulnerable point is as follows.
>   1.66x4s, 1.67-3
>
>
> The version that this vulnerable point was not found is as follows.
>   1.71-0
[...]