RE: Multiple Local Vulnerabilities in some FTP Client.Who can exploitit by remote?

From: Brett Moore (brett@softwarecreations.co.nz)
Date: 05/06/02


From: "Brett Moore" <brett@softwarecreations.co.nz>
To: "Stan Bubrouski" <stan@ccs.neu.edu>, "lion" <lion@cnhonker.net>
Date: Mon, 6 May 2002 12:47:42 +1200

Hi.

You said.
"This is a client-side bug the client themselves would have to exploit
making it irrelevent."

Think about this, because I do.

IIS server, unpatched for unicode (or similar/ new variant). The server has
had the cmd.exe renamed/removed/acl protected therefore preventing command
execution.

But they forgot FTP.exe so we bof the ftp client and inject and run any code
we like therefore bypassing the 'protection' given by removing cmd.exe

Brett

> -----Original Message-----
> From: Stan Bubrouski [mailto:stan@ccs.neu.edu]
> Sent: Monday, 6 May 2002 08:02
> To: lion
> Cc: vuln-dev@securityfocus.com
> Subject: Re: Multiple Local Vulnerabilities in some FTP Client.Who can
> exploitit by remote?
>
>
> lion wrote:
> > Multiple vuln-devLocal Vulnerabilities in some FTP Client.
> >
> >
> > 1. Windows 2000 and other Version FTP Client Overflows and
> Format String Vulnerability.
> > a.
> > d:\>perl -e "printf 'A'x3000"|ftp
> > Invalid command.
> > ftp>
> >
> > will see the 0x4141414d memory addr not be read erroor.
> >
> > d:\>perl -e "printf 'open '. 'A'x3000"|ftp
> > Already connected to (null), use disconnect first.
> >
>
> This is a client-side bug the client themselves would have to exploit,
> making it irrelevent.
>
> > will see the 0x4141414d memory addr not be read erroor.
> >
> > b.
> > d:\>ftp localhost
> > Connected to lion.
> > 220 lion Microsoft FTP Service (Version 5.0).
> > User (lion:(none)): ftp
> > 331 Anonymous access allowed, send identity (e-mail name) as password.
> > Password:
> > 230 Anonymous user logged in.
> > ftp> debug
> > Debugging On .
> > ftp> cd AAAAAAAAAAˇ­ˇ­ ('A' x 500)
> > 500 Command was too long
> > 421 Terminating connection.
> > Connection closed by remote host.
> > ftp> debug
> > Debugging On .
> > ftp> open localhost
> > Connected to lion.
> > 220 lion Microsoft FTP Service (Version 5.0).
> > User (lion:(none)): ftp
> > ---> USER ftp
> > 331 Anonymous access allowed, send identity (e-mail name) as password.
> > Password:
> > ---> PASS f
> > 230 Anonymous user logged in.
> > ftp> cd AAAAAAAAAAAAAAAAˇ­ˇ­('A'x 2000)
> >
> > will see the 0x41414141 memory addr not be read erroor.
> >
>
> Client-side, again no remote threat.
>
> > ftp> ls AAAAAAAAAAAAAAAAˇ­ˇ­('A'x 2000)
> > ---> PORT 127,0,0,1,4,114
> > 200 PORT command successful.
> > ---> NLST AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAˇ­ˇ­..
> >
> > will see the 0x41414141 memory addr not be read erroor.
> >
>
> Client-side, again no remote threat.
>
> > c.
> > d:\>ftp localhost
> > Connected to lion.
> > 220 lion Microsoft FTP Service (Version 5.0).
> > User (lion:(none)): ftp
> > 331 Anonymous access allowed, send identity (e-mail name) as password.
> > Password:
> > 230 Anonymous user logged in.
> > ftp> debug
> > Debugging On .
> > ftp> quote %s
> > ---> quote %s
> > 500 'QUOTE %s': command not understood
> > ftp> quote %s%s%s
> > ---> quote %s%s%s?(null)
> > 500 'QUOTE %s%s%s (null)': command not understood
> > ftp> quote %s%s%s%s%s%s%s%s
> > --->
> >
> > will see the 0x73257325 memory addr not be read erroor.
> >
> > Use W32Dasm isamssemble the ftp.exe, we can find the
> > 780127A8 mov dword ptr [eax],ecx
> >
> > This is a character with win2000 Format Strings Vulnerability.
> >
>
> Client-side, again no remote threat.
>
> > 2. Cygwin version 2.194.2.21 and Redhat 6.2 FTP Client Format
> String Vulnerability.
> >
> > lion@LION ~
> > $ ftp localhost
> > Connected to lion.
> > 220 lion Microsoft FTP Service (Version 5.0).
> > Name (localhost:lion): ftp
> > 331 Anonymous access allowed, send identity (e-mail name) as password.
> > Password:
> > 230 Anonymous user logged in.
> > Remote system type is Windows_NT.
> > ftp> debug
> > Debugging on (debug=1).
> > ftp> quote %s
> > ---> %s
> > 500 '%S': command not understood
> > ftp> quote %s%s%s%s%s%s%s
> > Segmentation fault (core dumped)
> >
> > Who can exploit it by remote?
> > Sorry for my poor English.:)
> >
> > Lion
> > lion@cnhonker.net
> > HUC
> >
> >
> >
> >
> >
>
> None of these bugs are remotely exploitable, and the Red Hat 6.2 FTP
> client was patched over a year ago and it was irrelent because it was
> client-side. Never-the-less these bugs should be fixed at some point
> for stability of the FTP clients if nothing else.
>
> Best Regards,
>
> Stan Bubrouski
>
>



Relevant Pages

  • Re: Windows 2003 SP2 and FTP
    ... "Connection closed by remote host". ... When I looked at the remote FTP server "Client Session", ... If I take Windows Firewall off on the W2K3 server, ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: Error 426 when connecting to virtual directory
    ... for passive mode, 21 + outbound passive port range. ... also try ftp using IP address to skip the host name resolution. ... > Connection closed by remote host. ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: SOCKET TIMEOUT (longish)
    ... * We cannot GET or PUT data across those FTP sessions. ... the data connection is opened from the remote ... Try using passive mode, if your FTP version allows it. ...
    (comp.sys.hp.mpe)
  • Re: Help to set ftp
    ... Active or passive mode is a client-side setting, ... Advanced -> Use passive mode for FTP (used for firewall and DSL modem ... an active connection means that the server opens the data ...
    (comp.os.minix)
  • Re: Multiple Local Vulnerabilities in some FTP Client.Who can exploit it by remote?
    ... > Multiple vuln-devLocal Vulnerabilities in some FTP Client. ... > will see the 0x4141414d memory addr not be read erroor. ... > Connected to lion. ... Client-side, again no remote threat. ...
    (Vuln-Dev)