Re: Multiple Local Vulnerabilities in some FTP Client.Who can exploit it by remote?

From: Frank Knobbe (fknobbe@knobbeits.com)
Date: 05/08/02 

From: Frank Knobbe <fknobbe@knobbeits.com>
To: lion <lion@cnhonker.net>
Date: 08 May 2002 11:05:09 -0500

On Sun, 2002-05-05 at 13:33, lion wrote:
> Multiple vuln-devLocal Vulnerabilities in some FTP Client.
>
>
> 1. Windows 2000 and other Version FTP Client Overflows and Format String Vulnerability.

You might want to add another one to the list. I've encountered this
during a pen-test involving a W2K sp2 client and an AIX ftp server. The
story goes as follows:

Use 'ftp <server>' on the W2K client to connect to an ftp server. Enter
a username with more than 2048 characters. What happens is that the ftp
server (AIX based in this case) echos back 'user <A x 2048> unknown'.
The client apparently doesn't expect such long responses and crashes,
overwriting EIP.

The only exploit I could see is that such a client would connect to a
rogue FTP server (maybe a DNS-poison hijacked ftp.microsoft.com, or
whatever else you sniff a machine ftp'ing into frequently), and attempt
to login with user anonymous@site.dom. The rogue ftp server could just
reply with ' user <NOPNOP-shellcode-here> unknown' and root the client.

An exploitable bug is an exploitable bug, being server or client
centric. This brings up the whole discussion about what I call 'reverse
buffer overflows'. Typically listening services are checked for bo's,
but not that many connection-establishing services. I vaguely recall an
issue with MS Outlook Internet Email where a rogue server could crash
the client by responding with unexpected buffer length to clients POP
requests.

Client programs, no matter how benign, need to be programmed just as
safe and checked for bo's just as diligently as server/listening code.

Regards,
Frank

Relevant Pages

  • Re: ipfw or ipf w/stateful behavior
    ... these make the firewall secure enaugh. ... > hosting a FTP server at your site? ... Securing things for an FTP client ...
    (FreeBSD-Security)
  • Re: ftp hangs
    ... But I have just used the same Solaris 10 ftp client and connected to the HP C3600's ftp server. ... it possible that it just defaults to passive mode so that the command to ... No, I can't be sure about the HP ftp server, but I tried both with and without the "passive" command from Sun's ftp client and find it works with the HP server in either case. ...
    (comp.unix.solaris)
  • RE: SBS 2003 Premium: how to allow FTP .EXE downloads
    ... Disable the problematic client XP firewall, ... click to check the "Hide All Microsoft Services" ... Is the FTP server on SBS? ... Download the file from the following URL: ...
    (microsoft.public.windows.server.sbs)
  • Re: Telnet/ftp problems SBS2000
    ... | through the server to get internet access everything works. ... | client uses an internet backup company to backup his really vital data, ... I understand that you cannot use ftp service to ... the connection can be established ...
    (microsoft.public.windows.server.sbs)
  • Re: ipfw or ipf w/stateful behavior
    ... I take it you're trying to access a remote FTP server, ... Securing things for an FTP client ... firewall, that can detect the outgoing PORT command (with all the ...
    (FreeBSD-Security)