Re: [Ftp client , Format strings and SEGFAULTS]

[KF <dotslash () snosoft com>]

I certainly stand corrected... I assumed that the addresses in the
server response were from 
the client processing the %x%x's when the error was returned to the
client... it was indeed 
sent to the server in that format and sent back the same way... 

[elguapo@linux elguapo]$ nc -l -p 2345
220
USER anonymous
220
SYST
220
SITE %x
500 %p%p%p%p%p

.... Mean while on my other terminal. 

[elguapo@linux elguapo]$ ftp localhost 2345
Connected to localhost.
220
Name (localhost:elguapo): anonymous
220
Remote system type is .
ftp> site %x
500 %p%p%p%p%p

^----- note that just like Michal stated the client does properly handle
the response from the server. 

-KF



chal Zalewski wrote:
> On Wed, 5 Dec 2001, KF wrote:
>
> > Theoretically a server could construct a malicious response to a site
> > quote command and maybe take control of the client...
>
> So far, we've seen fault conditions while parsing user-provided input
> (commands). I didn't audit Linux ftp client, but I've performed several
> tests some time ago, and I recall it seems to handle server responses
> well. I didn't look too carefully, so it might be possible somewhere
> (handling more advanced commands like 'mget', perhaps?), but it looks good
> with simple activity...
>
> --
> _____________________________________________________
> Michal Zalewski [lcamtuf () bos bindview com] [security]
> [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
> =-=> Did you know that clones never use mirrors? <=-=
>           http://lcamtuf.coredump.cx/photo/