Re: Buffer overflow in Microsoft ftp.exe

From: Frank Knobbe (
Date: 05/14/03

  • Next message: Joel Eriksson: "Re: vulndev-1 exploit."
    Date: 14 May 2003 00:17:25 -0500

    On Wed, 2003-04-30 at 03:34, aT4r InsaN3 wrote:
    > There is a Buffer overflow in the raw quote command in the Microsoft Windows
    > XP ftp.exe
    > just type:
    > quote AAAAAAAAA....[517 chars]...AAAAAAAAAAAA
    > ftp.exe will crash
    > after several checks i was unable to exploit this vulnerability remotely but
    > maybe there are other bugs in the way that ftp.exe manages the buffer of
    > server replyes.

    Yes, they are, or at least were. A couple years ago we came across a
    buffer overflow in the ftp client. If you use the ftp.exe client to log
    into an FTP server with a user name >2048 or so, and the server is not a
    Microsoft FTP server (used AIX in the test), the ftp client will crash
    when the server echo back the long user name.

    (sorry, I'm pulling this from memory. I tossed my notes together with
    Windows a couple years ago ;)

    For example:
    C:> ftp
    Name: somethingprettylongbutnottoolonghere
    331 user somethingprettylongbutnottoolonghere not found

    C:> ftp
    Name: somethingverylong+A * 1024 or 2048
    331 user somethingverylongAAAA...(up to buffer size, then a pop up
    Window with the EIP error...)

    If you enter an invalid user name, at some point the server is gonna
    echo that user name back to the ftp client. If the user name is too
    long, the long echo will overflow the ftp client. The reason this
    doesn't work against a Microsoft FTP server is that the MS server will
    truncate long user names to prevent buffer overflows. Too bad MS didn't
    apply the same idea to the client. An FTP server that echos back a long
    user name can overflow the client. It was overwriting EIP which means
    that you could execute code, albeit in the context of the user executing
    the ftp client.

    Since we couldn't come up with a credible scenario to exploit this
    remotely, were short on time, and I myself was getting fed up with MS
    security anyway, this issue was filed away and forgotten. But I'm sure
    MS addressed this issue when they sent their programmers to security
    boot camp or at least when they started code reviews/audits....



  • Next message: Joel Eriksson: "Re: vulndev-1 exploit."