Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Buffer overflow in Microsoft ftp.exe

From: "aT4r InsaN3" <at4r () hotmail com>
Date: Wed, 30 Apr 2003 10:34:21 +0200
There is a Buffer overflow in the raw quote command in the Microsoft Windows XP ftp.exe 

just type:

quote AAAAAAAAA....[517 chars]...AAAAAAAAAAAA
ftp.exe will crash
after several checks i was unable to exploit this vulnerability remotely but maybe there are other bugs in the way that ftp.exe manages the buffer of server replyes. 


An attack scenario can be the following:
a Windows workstation/server that executes commands like this one: at /next:xxxxxx ftp -s:scriptfile
if an attacker with axx to the system is able to modify the scriptfile he can modify the script and place an evil command Quote AAAAAA..SHELLCODE... and execute code with elevated privileges. 


tested in ftp.exe v 5.1.2600.1106 WINXP SP1 Spanish version
fix: check file permisions with cacls.

at4r [at] 3wdesign.es Security


_________________________________________________________________
Melodías, logos y mil servicios para tu teléfono en MSN Móviles. http://www.msn.es/MSNMovil/
Previous By Date Next
Previous By Thread Next

Current thread: