ftp.exe anf tftp.exe buffer overflows

• Previous message: Marc Ruef: "Netscape Communicator 4.x sensitive informations in configuration file"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 27 Feb 2003 16:43:21 -0800 (PST)
From: Max <rusmir@tula.net>
To: bugtraq@securityfocus.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello there,

ftp.exe and tftp.exe both have the same problem with unchecked hostname length.

Description:
    ftp.exe and tftp.exe do not check the length of hostname parameter before
    passing it to gethostbyname(). This makes possible to crash them by providing
    a long enough (~550+ bytes) hostname string.

    According to Microsoft:

    (http://msdn.microsoft.com/library/en-us/winsock/winsock/gethostbyname_2.asp)

    "The gethostbyname function does not check the size of the name parameter
    before passing the buffer. In improperly sized name parameters,
    heap corruption can occur."

Although it is sort of strange behaviour, it is documented.
A good advice for MS developers is to read function description before using it.

Both problems tested on up-to-date W2KPro.

Thanks,

Max.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+XrCw8mCpXsrcXpwRAvrCAKDrQ9HALqCl3w1F23xsEEgAD4is9ACg7uHC
c5aVcrLBTzJ0/o4WJXsLVnM=
=20xF
-----END PGP SIGNATURE-----

• Next message: Martin Eiszner: "axis2400 webcams"
• Previous message: Marc Ruef: "Netscape Communicator 4.x sensitive informations in configuration file"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]