mailing list archives
bugtraq () security nnov ru list issue: NcFTPd
From: Mike Gleason <mgleason () ncftp com>
Date: Thu, 20 Jun 2002 17:53:23 -0500
(this came from a bugtraq posting by 3APA3A () SECURITY NNOV RU)
On Thu, Jun 20, 2002 at 02:00:51PM +0400, 3APA3A wrote:
3. There was also report by DocSoft <docsoft at mail.ru> on
overflow in some older version of ncftpd on Solaris , but I was
able to reproduce it at least on demo version of ncftpd >= 2.5.0
FreeBSD, so it was bounced. Overflow is on FTP DELE command
buffer > 256 bytes. Feel free to contact DocSoft if you can
I can't read Russian, but I am guessing that DocSoft is making a similar
incorrect conclusion to what the older versions of the Nessus scanner
used to do. Below is a snippet from the page
http://hackcastle.hut.ru/p_bugs.htm, which contains some cyrillic
characters, so it may not be legible, but:
Бага в NcFTPd Server [author: DocSoft]
Реализация DoS-атаки на FTP
I do see "DoS" so I assume that the DocSoft is concluding that sending a
very long "DELE AAAA...AAA" is causing NcFTPd to exit because the
connection is abruptly closed. Often when a server process abruptly
closes the connection it means that the server process has crashed,
resulting in (a minimum) of a denial-of-service.
However, NcFTPd has code to detect clients looking for buffer overflows,
and when it detects a client attempting one, NcFTPd forcefully
disconnects the user. Older versions used to simply boot them off with
no message, but that was changed so that it sends back an FTP "550"
response first, _then_ it disconnects them.
Long story short: sending "DELE " followed by a huge number of
characters does not cause any version of NcFTPd Server to crash or
overflow an internal buffer.
- bugtraq () security nnov ru list issue: NcFTPd Mike Gleason (Jun 21)