|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Len Budney (lbudney-lists-bugtraq
NB.NET)Date: Sun Apr 22 2001 - 15:20:00 CDT
WFTP is the Win/NT FTP server by Alun Jones, "an author acknowledged as
an expert in FTP and TCP/IP". This advisory pertains to "Professional"
version 3.00 R4, which appears to be the current version. It can be
downloaded from the author's site at <http://www.wftpd.com/>. WFTPD is
released as shareware, and costs $120.
The latest version of WFTPD is vulnerable to a buffer overflow in the
RETR and CWD commands. The overflow can be used to completely disable
the FTP server, and can probably be exploited to run arbitrary code
on the server host.
This problem was already reported for version 3.0 R1 on March 3, 2001
[1], and the author claimed that he had "fixed" the overflow. What he
apparently did was make the buffers bigger; now instead of ~500 characters
overflowing the buffer, it takes ~32K instead.
Similar buffer overflows were reported on September 5, 2000 for version
2.41 RC12 [2], for version 2.40 on October 28, 1999 [3].
The exploit is essentially unchanged from the one posted a month ago;
since <se00020lion.cc> Windows, version, attached is a UNIX version.
An root exploit can probably be adapted from Alberto Solino's code [4].
Len Budney
References:
[1] http://www.securityfocus.com/templates/archive.pike?list=1&mid=166467
[2] http://www.securityfocus.com/templates/archive.pike?list=1&mid=71096
[3] http://www.securityfocus.com/templates/archive.pike?list=1&mid=32397
[4] http://oliver.efri.hr/~crv/security/bugs/Others/wftpd3.html
-- Frugal Tip #40: Instead of commuting to work every day, consider tending to your job duties by mental telepathy.
- Text/Plain attachment: sploit.c
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]