Home page logo

bugtraq logo Bugtraq mailing list archives

def-2001-27: GuildFTPD Buffer Overflow and Memory Leak DoS
From: andreas junestam <andreas.junestam () defcom com>
Date: Sun, 27 May 2001 21:37:06 +0100

                  Defcom Labs Advisory def-2001-27

               GuildFTPD Buffer Overflow and Memory Leak DoS

Author: Andreas Junestam <andreas () defcom com>
Co-Author: Janne Sarendal <janne () defcom com>
Release Date: 2001-05-22
------------------------=[Brief Description]=-------------------------
GuildFTPD contains two different problems:
1. Buffer overrun in the SITE command with the ability to execute
   arbitrary code
2. A memory leak in the input parsing code

------------------------=[Affected Systems]=--------------------------
- GuildFtpd v0.97 (probably earlier versions too)

----------------------=[Detailed Description]=------------------------
* SITE command Buffer Overflow
  All the SITE commands are handled in a dll(sitecmd.dll) which suffers
  from a buffer overflow. By sending a site command greater than 261
  bytes, a buffer will overflow and it is possible to execute
  arbitrary code. We have choosen not to include the working exploit.

  C:\>nc 21
  220-GuildFTPD FTP Server (c) 1999,2000
  220-Version 0.97
  220 Please enter your name:
  user a
  331 User name okay, Need password.
  pass a
  230 User logged in.

  Access violation - code c0000005 (first chance)
  eax=01450000 ebx=00000001 ecx=00000000 edx=00130608 esi=10030000
  eip=41414141 esp=01bcf9b4 ebp=10030000 iopl=0         nv up ei pl nz
na po nc
  cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000            

* Memory Leak DoS
  The input parsing code in GuildFTPD contains a memory leak that will
  trigger if you send it a request containing a NULL(0x0) character.
  GuildFTPD will still answer new requests, but, eventually the server
  will run out of memory and the machine will crash.

None for the moment

-------------------------=[Vendor Response]=--------------------------
This issue was brought to the developer's attention on the 24th of
2001, no response so far.

            This release was brought to you by Defcom Labs UK

              labs () defcom com             www.defcom.com

  By Date           By Thread  

Current thread:
  • def-2001-27: GuildFTPD Buffer Overflow and Memory Leak DoS andreas junestam (May 28)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]