Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NTBugtraq> 1998-1999

Re: Buffer overflows in FTP Serv-U 2.5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Buffer overflows in FTP Serv-U 2.5

To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
Subject: Re: Buffer overflows in FTP Serv-U 2.5
From: Rob Beckers <RobCAT-SOFT.COM>
Date: Tue, 4 May 1999 09:24:16 -0400
Approved-By: Russ.CooperRC.ON.CA
Comments: To: Arne Vidstrom <winntBAHNHOF.SE>
In-Reply-To: <01BE952C.86211FD0.winntbahnhof.se>
Reply-To: Rob Beckers <RobCAT-SOFT.COM>
Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>

--On Monday, May 03, 1999, 6:16 AM +0200 Arne Vidstrom <winntBAHNHOF.SE>
wrote:

> Hi,
>
> It looks like there are some buffer overflows in FTP Serv-U 2.5 (the most
> recent version) and I guess they are present in the versions before too,
> but I haven't checked that. If you send:
>
> cwd xxxxxxx...
> ls xxxxxx...
>
> and so on (it works for all commands I tried which takes arguments), the
> server will crash if the number of characters is 155 or more. If the
> number is exactly 155 it crashes without any message, and if the number
> is 156 or more Dr. Watson starts. I ran the server on Windows NT 4.0. Can
> anybody verify this?
>
> /Arne Vidstrom

Hi Arne,

Thank you for pointing out this bug! I have already traced and fixed it,
and made a beta available at ftp://ftp.cat-soft.com/beta/ which addresses
this.

I would have appreciated it if you would have told me a few days before
posting this to the NTBUGTRAQ list. I am not afraid of bugs, I'm sure there
are more in Serv-U, but now friend and foe know how to remotely crash a
Serv-U FTP server and many Serv-U users are finding out their servers are
being deliberately crashed over and over (not to mention I have to deal
with the resulting flood of E-mail while I could use that time more
productively). It takes several days to fix a bug, and get it tested,
before an update can be released. That leaves many hanging until an update
is out. You know, it's not only the good guys that are subscribed to
NTBUGTRAQ...

Best wishes,

        Rob
        Author of Serv-U

-- "An eye for an eye will leave the whole world blind" (Gandhi) --
    Check out http://www.ftpserv-u.com for all about Serv-U v2.5
-------------------------------------------------------------------

References:
- Buffer overflows in FTP Serv-U 2.5
  - From: Arne Vidstrom <winntBAHNHOF.SE>

Prev by Date: Alert: SP5 Release Announcements - FALSE!
Next by Date: Re: NT Security Advisory: Domain user to Domain Admin - Profiles and the Registry
Prev by thread: Buffer overflows in FTP Serv-U 2.5
Next by thread: Re: Buffer overflows in FTP Serv-U 2.5
Index(es):
- Date
- Thread