Vulnerability Development mailing list archives
Re: Multiple Local Vulnerabilities in some FTP Client.Who can exploit it by remote?
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 08 May 2002 11:05:09 -0500
On Sun, 2002-05-05 at 13:33, lion wrote:
Multiple vuln-devLocal Vulnerabilities in some FTP Client. 1. Windows 2000 and other Version FTP Client Overflows and Format String Vulnerability.
You might want to add another one to the list. I've encountered this during a pen-test involving a W2K sp2 client and an AIX ftp server. The story goes as follows: Use 'ftp <server>' on the W2K client to connect to an ftp server. Enter a username with more than 2048 characters. What happens is that the ftp server (AIX based in this case) echos back 'user <A x 2048> unknown'. The client apparently doesn't expect such long responses and crashes, overwriting EIP. The only exploit I could see is that such a client would connect to a rogue FTP server (maybe a DNS-poison hijacked ftp.microsoft.com, or whatever else you sniff a machine ftp'ing into frequently), and attempt to login with user anonymous () site dom. The rogue ftp server could just reply with ' user <NOPNOP-shellcode-here> unknown' and root the client. An exploitable bug is an exploitable bug, being server or client centric. This brings up the whole discussion about what I call 'reverse buffer overflows'. Typically listening services are checked for bo's, but not that many connection-establishing services. I vaguely recall an issue with MS Outlook Internet Email where a rogue server could crash the client by responding with unexpected buffer length to clients POP requests. Client programs, no matter how benign, need to be programmed just as safe and checked for bo's just as diligently as server/listening code. Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Multiple Local Vulnerabilities in some FTP Client.Who can exploit it by remote? lion (May 05)
- Re: Multiple Local Vulnerabilities in some FTP Client.Who can exploit it by remote? Stan Bubrouski (May 05)
- RE: Multiple Local Vulnerabilities in some FTP Client.Who can exploitit by remote? Brett Moore (May 06)
- Re: Multiple Local Vulnerabilities in some FTP Client.Who can exploitit by remote? SpaceWalker (May 06)
- RE: Multiple Local Vulnerabilities in some FTP Client.Who can exploitit by remote? Brett Moore (May 06)
- Re: Multiple Local Vulnerabilities in some FTP Client.Who can exploit it by remote? SpaceWalker (May 05)
- Re: Multiple Local Vulnerabilities in some FTP Client.Who can exploit it by remote? Frank Knobbe (May 08)
- Re: Multiple Local Vulnerabilities in some FTP Client.Who can exploit it by remote? Stan Bubrouski (May 05)