Re: Multiple Local Vulnerabilities in some FTP Client.Who can exploit it by remote?

[Frank Knobbe <fknobbe () knobbeits com>]

On Sun, 2002-05-05 at 13:33, lion wrote:
> Multiple vuln-devLocal Vulnerabilities in some FTP Client.
>
>
> 1.    Windows 2000 and other Version FTP Client Overflows and Format String Vulnerability.


You might want to add another one to the list. I've encountered this
during a pen-test involving a W2K sp2 client and an AIX ftp server. The
story goes as follows:

Use 'ftp <server>' on the W2K client to connect to an ftp server. Enter
a username with more than 2048 characters. What happens is that the ftp
server (AIX based in this case) echos back 'user <A x 2048> unknown'.
The client apparently doesn't expect such long responses and crashes,
overwriting EIP.

The only exploit I could see is that such a client would connect to a
rogue FTP server (maybe a DNS-poison hijacked ftp.microsoft.com, or
whatever else you sniff a machine ftp'ing into frequently), and attempt
to login with user anonymous () site dom. The rogue ftp server could just
reply with ' user <NOPNOP-shellcode-here> unknown' and root the client.


An exploitable bug is an exploitable bug, being server or client
centric. This brings up the whole discussion about what I call 'reverse
buffer overflows'. Typically listening services are checked for bo's,
but not that many connection-establishing services. I vaguely recall an
issue with MS Outlook Internet Email where a rogue server could crash
the client by responding with unexpected buffer length to clients POP
requests.

Client programs, no matter how benign, need to be programmed just as
safe and checked for bo's just as diligently as server/listening code.

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part