Vulnerability Development mailing list archives
Re: ftp.exe buffer overflow ?
From: Perry Harrington <pedward () WEBCOM COM>
Date: Sun, 11 Feb 2001 17:11:25 -0800
You are right in that it's the client and the error message out. However this bug is related to the fact that the formatting strings are passed to printf as the filename. Specifically it's the same error that has brought up all the format string attacks. All you have to do to disassemble the stack is print a few %08X to find out the values on the stack. This is important because you can make your FTP server say anything you want to; it can generate errors for a file that's name is shellcode for all intents and purposes. You could make some code that installs BO on the machine. All you have to do is make the ftp client try to get a file that is the attack file, and generate an error when it tries to retrieve it, like a permission denied or something. Note, Microsoft has builtin certain 'features' that make the user's experience more enjoyable. The one that comes to mind is the custom icon for a website. I saw on userfriendly the explanation of how to make explorer show an icon on the navigation bar, it's possible other programs have these types of features as well. --Perry On Mon, Feb 12, 2001 at 12:53:42AM -0800, Egemen Tas wrote:
This bug is different from the ones you mentioned.. This is the bug in MS FTP Client's QUOTE command. When dealing with escape characters and formatting tags like %s %d %u quote command behaves undetermined.(Because I am too lazy to dissassemble the ftp.exe , do not wait for a detailed information for this sysmptom) The errors given occurs when ftp.exe tries to output the error to the screen. Probably function like printf() or fprintf() is called and it will try to read a garbage region in the stack and leeads to a segmentation fault. In my opinion this is may be overflowable(because the error occurs in the Stack Segment!(I may be wrong) but does not pose great security risk.Because ftp.exe runs with the credidentals of currently logged on user. QUOTE %s%s%s will give an error according to # of %s 's which depends on the length of command you have entered. Also below command give strange results: QUOTE %d 500 '16807968': command not understood QUOTE %x etc. Microsoft has been informed about this situation. Regards Egemen Tas ----- Original Message ----- From: "Mike Duncan" <duncan () RANDOMTASK NET> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Sunday, February 11, 2001 10:18 AM Subject: Re: ftp.exe buffer overflow ?I tired this on... * Win98 (4.10.1998): Invalid page fault (as described). * RedHat 7.0 NcFTP 3.0.1/448 (Library version: LibNcFTP 3.0.1): Segmentation fault. * RedHat 7.0 FTP (Linux NetKit (0.17-pre-20000412August 15, 1999)): "501 Cannot EXEC command line (error=2)." Appeared to be fixed? I know this is an old bug, but I wanted to show it still exists in some but not all apps. On Sat, 10 Feb 2001, Riley Hassell wrote:That problem was discussed a while ago with the unix/linux ftp clients.It'svery interesting that Microsoft's ftp client has a similiar problem. ;) Possibly a format bug. --After reviewing it it looks like there is also a standard overflow. 'quote site exec <Ax1000>' overwrote the EIP =) ----- Original Message ----- From: "cyber_hunter" <cyber_hunter () LINUXBR COM BR> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Saturday, February 10, 2001 11:44 PM Subject: ftp.exe buffer overflow ?While I was reading something about wu-ftp I found an interestingbufferoverflow on ftp.exe , first logon on any ftp server ( any ), then : quote site exec %s%s%s%s%s%s ( this will work even if server doesn't support site exec ) and : "ftp caused an invalid page fault in module MSVCRT.DLL ..." I don't know if an exploit can be made , and if this would be used for something. ps: I have not tried with any ftp client .-- ------------------------------------------ Mike Duncan security () randomtask net http://www.randomtask.net FLOD: The World's Perfect Cube Of Fat Also comes in glow-in-the-dark models. ** Don't accept any imitations. ** ------------------------------------------
-- Perry Harrington Director of zelur xuniL () perry () webcom com System Architecture Think Blue. /\
Attachment:
_bin
Description:
Current thread:
- /usr/bin/ddate buffer overflow SosPiro (Feb 10)
- Re: /usr/bin/ddate buffer overflow Blue Boar (Feb 10)
- Re: /usr/bin/ddate buffer overflow enthh () FLASH NET (Feb 10)
- ftp.exe buffer overflow ? cyber_hunter (Feb 10)
- Re: ftp.exe buffer overflow ? Riley Hassell (Feb 10)
- Re: ftp.exe buffer overflow ? Mike Duncan (Feb 11)
- Re: ftp.exe buffer overflow ? Egemen Tas (Feb 11)
- Re: ftp.exe buffer overflow ? Perry Harrington (Feb 11)
- Re: ftp.exe buffer overflow ? Michal Zalewski (Feb 11)
- Re: ftp.exe buffer overflow ? Riley Hassell (Feb 15)
- Re: ftp.exe buffer overflow ? Michal Zalewski (Feb 15)
- Re: ftp.exe buffer overflow ? Benjamin Branch (Feb 15)
- Re: ftp.exe buffer overflow ? Bob Monkier (Feb 15)
- Re: ftp.exe buffer overflow ? Ryan Permeh (Feb 16)
- Internet explorer bug or Micromedia Flash bug ? cyber_hunter (Feb 19)
- Re: /usr/bin/ddate buffer overflow enthh () FLASH NET (Feb 10)
- Re: ftp.exe buffer overflow ? Antti Hakulinen (Feb 15)
- Re: /usr/bin/ddate buffer overflow Blue Boar (Feb 10)
- Message not available
- Re: ftp.exe buffer overflow ? Lincoln Yeoh (Feb 13)
- Re: ftp.exe buffer overflow ? Lord Soth (Feb 11)