Home page logo

bugtraq logo Bugtraq mailing list archives

Re: ncftp 2.4.3 bug
From: mgleason () NCFTP COM (Mike Gleason)
Date: Mon, 22 Jun 1998 13:11:04 -0500

At 09:57 AM 6/22/98 -0500, Shaw Terwilliger <twig () babba advancenet net> wrote:

I hope you sent this to Mike Gleason before BugTraq...

Of course he didn't.  It wouldn't do much good if I could post an official
patch before there was widespread exploitation of the bug.  After all, the
more damage the bug causes, the more prestige he had to gain at my expense.
 However, I do subscribe to this list, and had been working on this problem
(see below).

you're not helping
anyone by excluding the author from your audience.  How do you think bugs
are going to get fixed if you never tell the author [...] ?

Agreed.  This is irresponsible and inexcusable behavior, especially
considering my e-mail address is displayed every single time you run the
program.  But it'll keep happening too, as long as these self-appointed
security experts exist with their own agendas.  Michael at Cygnus
experienced this problem with SN not too long ago, and of course I did as
well a few months ago.

[...] Paul Boehm <paul () BOEHM ORG> wrote:
i think i've found a bug in ncftp 2.4.3 (latest stable release)...
if you connect to a ftp server that responds with something like the
shit below ncftp2.4.3 segfaults. i think this is exploitable,
but had no time/motivation to look further into it.

every reply that looks like this works:
331 a
230 b
c[putting here some exploit code may work]

PS: i have no clue why this crashes ncftp... i haven't looked through
    ncftp's source

but maybe someone else will.

Did you ever think that perhaps the author would?

He didn't seem to have enough time to make a cursory investigation to why
this happens or at least report it to me, but oddly he had plenty of time
to post to this list about it.  At least the last guy spent enough time to
write an exploit to prove in fact that it was a bug and needed a fix ASAP.

As for this particular bug, it crashes because ncftp 2.x was trying to copy
from a NULL pointer.  So, no buffer exploit.  Version 3 (still beta)
handles it just fine.  The official gospel is to upgrade to version 3,
since the bug doesn't occur naturally in the wild.

BTW, Thanks Shaw for making sure I knew about it.  Luckily there are still
more responsible Netizens out there than not.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]