Vulnerability Development mailing list archives

Re: ftp.exe buffer overflow ?

From: Perry Harrington <pedward () WEBCOM COM>
Date: Sun, 11 Feb 2001 17:11:25 -0800

You are right in that it's the client and the error message out.

However this bug is related to the fact that the formatting strings
are passed to printf as the filename.  Specifically it's the same
error that has brought up all the format string attacks.

All you have to do to disassemble the stack is print a few %08X to
find out the values on the stack.  This is important because you can
make your FTP server say anything you want to; it can generate errors
for a file that's name is shellcode for all intents and purposes.

You could make some code that installs BO on the machine.

All you have to do is make the ftp client try to get a file that is
the attack file, and generate an error when it tries to retrieve it, like
a permission denied or something.

Note, Microsoft has builtin certain 'features' that make the user's
experience more enjoyable.  The one that comes to mind is the custom
icon for a website.  I saw on userfriendly the explanation of how
to make explorer show an icon on the navigation bar, it's possible other
programs have these types of features as well.

--Perry

On Mon, Feb 12, 2001 at 12:53:42AM -0800, Egemen Tas wrote:

This bug is different from the ones you mentioned..
This is the bug in MS FTP Client's QUOTE command.
When dealing with escape characters and formatting tags like %s %d %u quote
command behaves undetermined.(Because I am too lazy to dissassemble the
ftp.exe , do not wait for a  detailed information for this sysmptom)

The errors given occurs when ftp.exe tries to output the error to the
screen.
Probably function like printf() or fprintf() is called and it will try to
read a garbage region in the stack and leeads to a segmentation fault.

In my opinion this is may be overflowable(because the error occurs in the
Stack Segment!(I may be wrong)
 but does not pose great security risk.Because ftp.exe runs with the
credidentals of currently logged on user.

QUOTE %s%s%s will give an error according to # of %s 's which depends on the
length of command you have entered.

Also below command give strange results:

QUOTE %d
500 '16807968': command not understood

QUOTE %x etc.

Microsoft has been informed about this situation.

Regards
Egemen Tas

----- Original Message -----
From: "Mike Duncan" <duncan () RANDOMTASK NET>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Sunday, February 11, 2001 10:18 AM
Subject: Re: ftp.exe buffer overflow ?

I tired this on...

* Win98 (4.10.1998): Invalid page fault (as described).
* RedHat 7.0 NcFTP 3.0.1/448 (Library version:  LibNcFTP
3.0.1): Segmentation fault.
* RedHat 7.0 FTP (Linux NetKit (0.17-pre-20000412August 15, 1999)): "501
Cannot EXEC command line (error=2)." Appeared to be fixed?

I know this is an old bug, but I wanted to show it still exists in some
but not all apps.


On Sat, 10 Feb 2001, Riley Hassell wrote:

That problem was discussed a while ago with the unix/linux ftp clients.

It's

very
interesting that Microsoft's ftp client has a similiar problem. ;)

Possibly a format bug.

--After reviewing it it looks like there is also a standard overflow.
'quote site exec <Ax1000>' overwrote the EIP =)

----- Original Message -----
From: "cyber_hunter" <cyber_hunter () LINUXBR COM BR>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Saturday, February 10, 2001 11:44 PM
Subject: ftp.exe buffer overflow ?

While I was reading something about wu-ftp I found an interesting

buffer

overflow on ftp.exe ,
first logon on any ftp server ( any ), then :

quote site exec %s%s%s%s%s%s

( this will work even if server doesn't support site exec )

and :  "ftp caused an invalid page fault in module MSVCRT.DLL ..."

I don't know if an exploit can be made , and if this would be used for
something.
ps: I have not tried with any ftp client .


--
------------------------------------------
Mike Duncan
security () randomtask net
http://www.randomtask.net

FLOD: The World's Perfect Cube Of Fat
Also comes in glow-in-the-dark models.
 ** Don't accept any imitations. **
------------------------------------------


--
Perry Harrington                 Director of                   zelur xuniL  ()
perry () webcom com             System Architecture               Think Blue.  /\

Attachment: _bin
Description:

Current thread:

/usr/bin/ddate buffer overflow SosPiro (Feb 10)
- Re: /usr/bin/ddate buffer overflow Blue Boar (Feb 10)
  - Re: /usr/bin/ddate buffer overflow enthh () FLASH NET (Feb 10)
    - ftp.exe buffer overflow ? cyber_hunter (Feb 10)
    - Re: ftp.exe buffer overflow ? Riley Hassell (Feb 10)
    - Re: ftp.exe buffer overflow ? Mike Duncan (Feb 11)
    - Re: ftp.exe buffer overflow ? Egemen Tas (Feb 11)
    - Re: ftp.exe buffer overflow ? Perry Harrington (Feb 11)
    - Re: ftp.exe buffer overflow ? Michal Zalewski (Feb 11)
    - Re: ftp.exe buffer overflow ? Riley Hassell (Feb 15)
    - Re: ftp.exe buffer overflow ? Michal Zalewski (Feb 15)
    - Re: ftp.exe buffer overflow ? Benjamin Branch (Feb 15)
    - Re: ftp.exe buffer overflow ? Bob Monkier (Feb 15)
    - Re: ftp.exe buffer overflow ? Ryan Permeh (Feb 16)
    - Internet explorer bug or Micromedia Flash bug ? cyber_hunter (Feb 19)
    - Re: ftp.exe buffer overflow ? Antti Hakulinen (Feb 15)
    - Message not available
    - Re: ftp.exe buffer overflow ? Lincoln Yeoh (Feb 13)
    - Re: ftp.exe buffer overflow ? Lord Soth (Feb 11)

(Thread continues...)