Vulnerability Development mailing list archives

Re: iis (ftp) 4.0

From: Marc Maiffret <marc () eeye com>
Date: Tue, 1 Aug 2000 08:52:22 +0100
Its a client side bug with 'quote'. The same happens if you 'quote %p'
etc... We have played with it a bit and determined it to be client side.

If your looking for holes in IIS or any Windows based software then it is
best to write your own test tools. A lot of time you will see false
positives from things like telnet.exe, ftp.exe etc....

Signed,
Marc Maiffret
Chief Hacking Officer
eCompany / eEye
T.949.349.9062
F.949.349.9538
http://eEye.com


| -----Original Message-----
| From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of
| Guilherme Mesquita
| Sent: Sunday, July 30, 2000 1:46 PM
| To: VULN-DEV () SECURITYFOCUS COM
| Subject: iis (ftp) 4.0
|
|
| hey doods take a look at this:
|
| bash-2.03$ ftp xxx.xxx.microsoft.com
| Connected to xxx.xxx.microsoft.com
| 220 mickeysoft Microsoft FTP Service (Version 4.0).
| Name (xxx.xxx.microsoft.com:guy): anonymous
| 331 Anonymous access allowed, send identity (e-mail name) as password.
| Password:
| 230 Anonymous user logged in.
| Remote system type is Windows_NT.
|
| ftp> quote cd
| %f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f
| %f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f
| %f%f%f%f%f
| %f%f
| %f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f
| %f%f%f%f%f
| %f%f
| %f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f
| %f%f%f%f%f
| %f%f
| %f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f
| %f%f%f%f%f
| %f%f
| %f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f
| ---> cd
| -1.998074nan-1.9859430.0000000.0000000.0000000.0000000.0000000.0000000.0
| 000000.0000000.0000000.0000000.0000000.0000000.0000000.0000000.000
| 0000.00000
| 00.0
| 000000.0000000.0000000.0000000.0000000.0000000.0000000.0000000.000
| 0000.00000
| 00.0
| 000000.0000000.0000000.0000000.0000000.0000000.0000000.0000000.000
| 0000.00000
| 00.0
| 000000.0000000.0000000.0000000.0000000.0000000.0000000.0000000.000
| 0000.00000
| 00.0
| 000000.0000000.0000000.0000000.0000000.0000000.0000000.0000000.000
| 0000.00000
| 07.4
| 42459-1.9925080.00000086816672739201387167646197334643244353738878
| 1070233202
| 8541
| 322470032997080649810600699966006737127247397228742637573540249266
| 3674631417
| 0301
| 796640981108655387787154016958401583367784810035467926763803788334
| 3087572268
| 5103
| 4425372636072254092181766144.000000-1.9864577.330009-1.9867567.442
| 4593026459
| 6817
| 156688177460737829504276698666852065392074697193770247413313626341
| 3465766913
| 1456
| 798305708918593252675105189369237102250881173406194545227609736827
| 7402561850
| 9710
| 455104593995806290180648228932461181941782137807809322530767845501
| 3102407273
| 9522
| 38961588483129344.000000465175286548517542448929182683805232068466
| 3402268111
| 9172
| 234361458742794928218333627954530571039483388205675127966341766873
| 3585513958
| 6589
| 3389880296099612867387038073632042600167414774069191595008196608.0
| 00000-1.98
| 6652
| 7.2852032.1433197.2794500.0000000.0000000.0000000.0000000.0000000.
| 0000007.28
| 5202
| 2.0011602.0030212.1451420.000000-1.9865840.000000-1.9866943.004586
| 0.0000000.
| 0000
| 000.0000000.0000000.0000000.0000000.0000000.000000-1.9866980.00000
| 00.0000007
| .442
| 460-1.9925377.443452-1.9877367.442460-1.992537-1.987736-1.9867567.
| 442462-1.9
| 8945
| 80.000000381691985462679806571086643334894129413560060421953696374
| 0360101346
| 2056
| 864539893841124306890605105883641536809075484314260201885963274460
| 7067292251
| 5804
| 335042984791148824632886296576.00000023910764503558327809968585679
| 4904753528
| 3246
| 846405285112445961520801515424496282671839198369722967123399473135
| 6751671202
| 1806
| 599804003469718488379097575110441305367753606873168890538157186092
| 1116618563
| 5988
| 37961378162465810754104398921686249897984.000000969868425604649708
| 3305254555
| 9147
| 982605799629154273605587503128275675417416389957708987963266131532
| 9702437740
| 9072
| 707985125605671621986703871634197157274897836246571863287412515363
| 6183761962
| 9995
| 526919895562998186026713362755030325207280732078080.0000000.000000
| 0.0000000.
| 0000
| 000.0000000.0000000.0000000.0000000.0000000.0000000.0000000.000000
| 0.0000000.
| 0000
| 000.0000000.0000000.0000000.0000000.0000000.0000000.0000000.000000
| 0.0000000.
| 0000
| 000.0000000.0000000.0000000.0000000.0000000.0000000.0000000.000000
| 0.0000000.
| 0000
| 000.0000000.0000000.0000000.0000000.0000000.0000000.0000000.000000
| 0.0000000.
| 0000
| 000.0000000.0000000.0000000.0000000.0000000.000000-1.987362-1.9873
| 707.285600
| 2.14
| 33197.2809140.0000000.0000000.0000000.0000000.0000000.0000007.2724
| 767.277908
| 7.27
| 87630.0000000.000000-1.9873010.000000-1.9874127.2779090.0000000.00
| 00000.0000
| 000.
| 0000000.0000000.0000000.000000-1.987408-1.9874160.0000007.330860-1
| .9874380.0
| 0000
| 00.000000-1.9877100.000000-1.988768-1.987710-1.9874650.000000-1.98
| 76677.2855
| 622.
| 1433197.2843637.2855622.1433197.2792860.0000000.0000000.0000000.00
| 00007.2740
| 027.
| 2787630.0000000.000000-1.9875985.4623583.6117480.0000003.494735
| 421 Service not available, remote server has closed connection
| ftp>
|
| I tought it was very weird and also I couldnt state if the ftpd really
| coredump.. but I know it stays at least up because I can reconnect to
| the host. I have a theory that it core-dumps because of the
| client, and not
| because of the server itself...
|
| If anyone has any info about this... lemme know.
|
| --
| ----
| Guilherme Mesquita
| UIN#5864338
| guy () linuxbr com br
| ----
| Linux is Luke.
| FreeBSD is Yoda.
| ---
|
Current thread:

iis (ftp) 4.0 Guilherme Mesquita (Aug 01)
- Re: iis (ftp) 4.0 Renaud Deraison (Aug 02)
- Re: iis (ftp) 4.0 Marc Maiffret (Aug 02)
- Re: iis (ftp) 4.0 3APA3A (Aug 02)
- Re: iis (ftp) 4.0 Michal Zalewski (Aug 02)
- Re: iis (ftp) 4.0 Juliano Rizzo (Aug 02)