Vulnerability Development mailing list archives

Re: ftp.exe buffer overflow ?

From: Ryan Permeh <ryan () EEYE COM>
Date: Thu, 15 Feb 2001 23:28:12 -0800

remember everyone, this is client side, and even more it's client size
through the actual interface.  This overflow is happening via end user
input, to craft any usefulness from it would require you to somehow convince
someone with administrative permissions to either cut and paste this buffer
or run an ftp input script.  unless I'm missing something, this vuln is not
a real big deal, unless someone wants to play around with it to learn to
write win32 overflow sploitcode.   inserting something like this in any
priveldged user's start script implies that you are able to insert other
stuff there.  just load a rootkit driver, or start a netcat command
prompt,why even bother with an ftp client overflow at this point.

also as a side note, if you are running in ring 0 in nt/2k, you are in the
kernel, or have direct access to it(via a callgate, load a driver,
overflowing a kernel buffer, or somesuch method).  after you get to a point
where you can run in ring 0 you don't need to overflow any ftp clients.  you
0wn the machine.  you can do as you please at that point.

Signed,
Ryan
eEye Digital Security Team
http://www.eEye.com

----- Original Message -----
From: "Bob Monkier" <bmonkey () OOK OBJECTIONABLE NET>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Thursday, February 15, 2001 5:19 PM
Subject: Re: ftp.exe buffer overflow ?

Oi

 I Think that this confirms Mr. Hassell's post.  If i were to exploit

this

on a machine i think it would be easiest done by putting this in the

start

up somewhere on ethernet based machine.  Has then been tested on NT?  If

so,

the only thing that would need to be done is to have this run on start

up

and then have it add a user with admin privs.  I'm not big on writing
exploits, so, I could be wrong on this.


I don't have too much experience with NT, but I assume that you would need
admin to have it run on startup.  A simpler trick would be to hack ring0
access and do it there :)  I know for a fact that its harder to do in NT
than in win9x, but its not impossible.

TTFN

BM

Current thread:

ftp.exe buffer overflow ?, (continued)
- - - ftp.exe buffer overflow ? cyber_hunter (Feb 10)
    - Re: ftp.exe buffer overflow ? Riley Hassell (Feb 10)
    - Re: ftp.exe buffer overflow ? Mike Duncan (Feb 11)
    - Re: ftp.exe buffer overflow ? Egemen Tas (Feb 11)
    - Re: ftp.exe buffer overflow ? Perry Harrington (Feb 11)
    - Re: ftp.exe buffer overflow ? Michal Zalewski (Feb 11)
    - Re: ftp.exe buffer overflow ? Riley Hassell (Feb 15)
    - Re: ftp.exe buffer overflow ? Michal Zalewski (Feb 15)
    - Re: ftp.exe buffer overflow ? Benjamin Branch (Feb 15)
    - Re: ftp.exe buffer overflow ? Bob Monkier (Feb 15)
    - Re: ftp.exe buffer overflow ? Ryan Permeh (Feb 16)
    - Internet explorer bug or Micromedia Flash bug ? cyber_hunter (Feb 19)
    - Re: ftp.exe buffer overflow ? Antti Hakulinen (Feb 15)
    - Message not available
    - Re: ftp.exe buffer overflow ? Lincoln Yeoh (Feb 13)
    - Re: ftp.exe buffer overflow ? Lord Soth (Feb 11)
    - Message not available
    - Re: /usr/bin/ddate buffer overflow enthh () FLASH NET (Feb 11)
  - Re: /usr/bin/ddate buffer overflow Larry W. Cashdollar (Feb 10)
- Re: /usr/bin/ddate buffer overflow poke (Feb 11)
- Re: /usr/bin/ddate buffer overflow s1gnal_9 (Feb 11)
- Re: /usr/bin/ddate buffer overflow enthh () FLASH NET (Feb 13)
  - Re: /usr/bin/ddate buffer overflow Larry W. Cashdollar (Feb 14)