Re: Multiple Local Vulnerabilities in some FTP Client.Who can exploit it by remote?

From: Stan Bubrouski (stan@ccs.neu.edu)
Date: 05/05/02


Date: Sun, 05 May 2002 16:02:08 -0400
From: Stan Bubrouski <stan@ccs.neu.edu>
To: lion <lion@cnhonker.net>

lion wrote:
> Multiple vuln-devLocal Vulnerabilities in some FTP Client.
>
>
> 1. Windows 2000 and other Version FTP Client Overflows and Format String Vulnerability.
> a.
> d:\>perl -e "printf 'A'x3000"|ftp
> Invalid command.
> ftp>
>
> will see the 0x4141414d memory addr not be read erroor.
>
> d:\>perl -e "printf 'open '. 'A'x3000"|ftp
> Already connected to (null), use disconnect first.
>

This is a client-side bug the client themselves would have to exploit,
making it irrelevent.

> will see the 0x4141414d memory addr not be read erroor.
>
> b.
> d:\>ftp localhost
> Connected to lion.
> 220 lion Microsoft FTP Service (Version 5.0).
> User (lion:(none)): ftp
> 331 Anonymous access allowed, send identity (e-mail name) as password.
> Password:
> 230 Anonymous user logged in.
> ftp> debug
> Debugging On .
> ftp> cd AAAAAAAAAAˇ­ˇ­ ('A' x 500)
> 500 Command was too long
> 421 Terminating connection.
> Connection closed by remote host.
> ftp> debug
> Debugging On .
> ftp> open localhost
> Connected to lion.
> 220 lion Microsoft FTP Service (Version 5.0).
> User (lion:(none)): ftp
> ---> USER ftp
> 331 Anonymous access allowed, send identity (e-mail name) as password.
> Password:
> ---> PASS f
> 230 Anonymous user logged in.
> ftp> cd AAAAAAAAAAAAAAAAˇ­ˇ­('A'x 2000)
>
> will see the 0x41414141 memory addr not be read erroor.
>

Client-side, again no remote threat.

> ftp> ls AAAAAAAAAAAAAAAAˇ­ˇ­('A'x 2000)
> ---> PORT 127,0,0,1,4,114
> 200 PORT command successful.
> ---> NLST AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAˇ­ˇ­..
>
> will see the 0x41414141 memory addr not be read erroor.
>

Client-side, again no remote threat.

> c.
> d:\>ftp localhost
> Connected to lion.
> 220 lion Microsoft FTP Service (Version 5.0).
> User (lion:(none)): ftp
> 331 Anonymous access allowed, send identity (e-mail name) as password.
> Password:
> 230 Anonymous user logged in.
> ftp> debug
> Debugging On .
> ftp> quote %s
> ---> quote %s
> 500 'QUOTE %s': command not understood
> ftp> quote %s%s%s
> ---> quote %s%s%s?(null)
> 500 'QUOTE %s%s%s (null)': command not understood
> ftp> quote %s%s%s%s%s%s%s%s
> --->
>
> will see the 0x73257325 memory addr not be read erroor.
>
> Use W32Dasm isamssemble the ftp.exe, we can find the
> 780127A8 mov dword ptr [eax],ecx
>
> This is a character with win2000 Format Strings Vulnerability.
>

Client-side, again no remote threat.

> 2. Cygwin version 2.194.2.21 and Redhat 6.2 FTP Client Format String Vulnerability.
>
> lion@LION ~
> $ ftp localhost
> Connected to lion.
> 220 lion Microsoft FTP Service (Version 5.0).
> Name (localhost:lion): ftp
> 331 Anonymous access allowed, send identity (e-mail name) as password.
> Password:
> 230 Anonymous user logged in.
> Remote system type is Windows_NT.
> ftp> debug
> Debugging on (debug=1).
> ftp> quote %s
> ---> %s
> 500 '%S': command not understood
> ftp> quote %s%s%s%s%s%s%s
> Segmentation fault (core dumped)
>
> Who can exploit it by remote?
> Sorry for my poor English.:)
>
> Lion
> lion@cnhonker.net
> HUC
>
>
>
>
>

None of these bugs are remotely exploitable, and the Red Hat 6.2 FTP
client was patched over a year ago and it was irrelent because it was
client-side. Never-the-less these bugs should be fixed at some point
for stability of the FTP clients if nothing else.

Best Regards,

Stan Bubrouski



Relevant Pages

  • RE: Multiple Local Vulnerabilities in some FTP Client.Who can exploitit by remote?
    ... "This is a client-side bug the client themselves would have to exploit ... But they forgot FTP.exe so we bof the ftp client and inject and run any code ... >> Connection closed by remote host. ...
    (Vuln-Dev)
  • Re: File Transfer
    ... Note that there's nothing magic about West-Wind's FTP class. ... wrapper around the Windows FTP API calls. ... safer approach would be to have the client-side application poll a specific ... location on the FTP server for files waiting for download. ...
    (microsoft.public.fox.programmer.exchange)