Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ftp.exe buffer overflow ?

From: Riley Hassell <riley () EEYE COM>
Date: Sun, 11 Feb 2001 22:36:05 -0800
This is actually overflowable:
In my first post I put a note at the bottom showing that sending a large
buffer with 'A's overwrites the EIP.

Example:
ftp example.com
...login...
quote site exec AAAAAAAA.....        <--- 1000x'A'

I'm on build 2195 and it directly overwrites the EIP.


----- Original Message -----
From: "Michal Zalewski" <lcamtuf () BOS BINDVIEW COM>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Sunday, February 11, 2001 5:45 PM
Subject: Re: ftp.exe buffer overflow ?



On Mon, 12 Feb 2001, Egemen Tas wrote:


This bug is different from the ones you mentioned..
This is the bug in MS FTP Client's QUOTE command.


MS FTP client is surprisingly similar to BSDish ftp client, containing -
for example - some similar strings in its binary. It's been discussed on
numerous forums long time ago (google.com, search for: "Regents of the
University of California" ftp microsoft client). Thus, I bet this is the
same as the bug in BSDish ftp client (format bug in quote command), and is
caused by very similar code.


In my opinion this is may be overflowable(because the error occurs in

the

Stack Segment!(I may be wrong)


No, never. I mean this is exploitable, but it is not an overflow and has
nothing to do with stack segment.


but does not pose great security risk.Because ftp.exe runs with the
credidentals of currently logged on user.


Right =)

--
_______________________________________________________
Michal Zalewski [lcamtuf () bos bindview com] | [security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=--=> Did you know that clones never use mirrors? <=--=
Previous By Date Next
Previous By Thread Next

Current thread: