Re: ftp.exe buffer overflow ?

[Egemen Tas <egement () KARYDE COM TR>]

This bug is different from the ones you mentioned..
This is the bug in MS FTP Client's QUOTE command.
When dealing with escape characters and formatting tags like %s %d %u quote
command behaves undetermined.(Because I am too lazy to dissassemble the
ftp.exe , do not wait for a  detailed information for this sysmptom)

The errors given occurs when ftp.exe tries to output the error to the
screen.
Probably function like printf() or fprintf() is called and it will try to
read a garbage region in the stack and leeads to a segmentation fault.

In my opinion this is may be overflowable(because the error occurs in the
Stack Segment!(I may be wrong)
 but does not pose great security risk.Because ftp.exe runs with the
credidentals of currently logged on user.

QUOTE %s%s%s will give an error according to # of %s 's which depends on the
length of command you have entered.

Also below command give strange results:

QUOTE %d
500 '16807968': command not understood

QUOTE %x etc.

Microsoft has been informed about this situation.

Regards
Egemen Tas

----- Original Message -----
From: "Mike Duncan" <duncan () RANDOMTASK NET>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Sunday, February 11, 2001 10:18 AM
Subject: Re: ftp.exe buffer overflow ?


> I tired this on...
>
> * Win98 (4.10.1998): Invalid page fault (as described).
> * RedHat 7.0 NcFTP 3.0.1/448 (Library version:  LibNcFTP
> 3.0.1): Segmentation fault.
> * RedHat 7.0 FTP (Linux NetKit (0.17-pre-20000412August 15, 1999)): "501
> Cannot EXEC command line (error=2)." Appeared to be fixed?
>
> I know this is an old bug, but I wanted to show it still exists in some
> but not all apps.
>
>
> On Sat, 10 Feb 2001, Riley Hassell wrote:
>
> > That problem was discussed a while ago with the unix/linux ftp clients.
It's
> > very
> > interesting that Microsoft's ftp client has a similiar problem. ;)
> >
> > Possibly a format bug.
> >
> > --After reviewing it it looks like there is also a standard overflow.
> > 'quote site exec <Ax1000>' overwrote the EIP =)
> >
> > ----- Original Message -----
> > From: "cyber_hunter" <cyber_hunter () LINUXBR COM BR>
> > To: <VULN-DEV () SECURITYFOCUS COM>
> > Sent: Saturday, February 10, 2001 11:44 PM
> > Subject: ftp.exe buffer overflow ?
> >
> >
> > > While I was reading something about wu-ftp I found an interesting
buffer
> > > overflow on ftp.exe ,
> > > first logon on any ftp server ( any ), then :
> > >
> > > quote site exec %s%s%s%s%s%s
> > >
> > > ( this will work even if server doesn't support site exec )
> > >
> > > and :  "ftp caused an invalid page fault in module MSVCRT.DLL ..."
> > >
> > > I don't know if an exploit can be made , and if this would be used for
> > > something.
> > > ps: I have not tried with any ftp client .
>
> --
> ------------------------------------------
> Mike Duncan
> security () randomtask net
> http://www.randomtask.net
>
> FLOD: The World's Perfect Cube Of Fat
> Also comes in glow-in-the-dark models.
>  ** Don't accept any imitations. **
> ------------------------------------------