OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: ftpd: the advisory version
From: Lamagra Argamal (lamagraHACKERMAIL.NET)
Date: Sat Jun 24 2000 - 04:17:56 CDT

first of all thanks for liking my lame post :)
2nd I hope you all know that bug isn't fixed. I'm not going to do this because the code is soooo messy, I wouldn't know where to begin. Like with that "space stops sanitizing" should the rest be stripped off? Someone should really do rewrite someday.
Someone write a small quick patch, so the "world" is safe again. Wouldn't like seeing all those computers in the hands of those script-kiddies. Changing lreply(200,buf)
into lreply(200,"%s",buf) would do for a while, but other patching is needed too. Or everyone could run proftpd :)

About ncftpd, never worked with it nor seen the code.
If you like I could do a bugcheck during the summer.

Last thing, I've been thinking about the general ftp protocol and there is only 1 reason why it should run as root after authentication. Namely to bind the dataconnection to port <ftpport - 1> (mostly 20). And we all know high ports require root priviledges for binding.
Couldn't you change it to bind to the port at startup.
This would require some other changes to prevent DoS etc
But it should be possible, after that the daemon can just drop all priviledges after authentication. Giving an attacker nothing.

Well just some things to work and think about.
If you have any questions, ask away.

BTW: the ftp program (linux,bsd,windows) has the same kinda bug in the QUOTE command, look at command().
Doesn't really give a problem tho, just annoying.

-lamagra
http://lamagra.seKure.de (update soon)
http://roothat.labs.pulltheplug.com (exploit games etc)

Send someone a cool Dynamitemail flashcard greeting!! And get rewarded.
GO AHEAD! http://cards.dynamitemail.com/index.php3?rid=fc-41