Date: Mon, 16 Nov 1998 18:02:43 -0700
From: Eric Wanner <ericw@FUTUREONE.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: nftp vulnerability (fwd)
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
---559023410-851401618-911263879=:29955
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.GSO.3.96.981116175122.29955D@future.futureone.com>
nftp is a shareware ftp program available at
ftp://crydee.sai.msu.su/pub/comp/software/asv/nftp/ that is
becoming more and more widely used.
Cause: nftp incorrectly handles strings returned by the server.
Tested: tested on version 1.40 linux-libc5 by sending 220 and 4400 X's
followed by a \n (didn't work without the \n because it didn't get
processed). 4400 was a random number, it has nothing to do with the
exploitability of this program.
Vulnerability: It appears to be an internal buffer that is being
overfilled, but I do not have the source code, so I cannot tell. If it is
an internal buffer, it may be possible to execute arbitrary code on the
connecting computer, but they have to connect to the server, and they must
be running this ftp proram.
Fix: I do not have the source code so I can't create a patch =).
It seems that too much trust is being put on the servers these days.
I have included a sample crash. Put it in your inetd if you want to see
for yourself.
Creator Notified: The creator was notified shortly before sending this
report.
Fix available: not yet.
--
Eric Wanner
Head Systems Administrator
FutureOne, Inc.
602-385-3379
http://home.futureone.com
EfNet: holobyte
Personal Email: holobyte@holobyte.org
---559023410-851401618-911263879=:29955
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="sample.pl"
Content-ID: <Pine.GSO.3.96.981116175119.29955B@future.futureone.com>
Content-Description:
Content-Transfer-Encoding: BASE64
IyEvdXNyL2Jpbi9wZXJsDQp1c2UgSU86OkhhbmRsZTsNCnN0ZG91dC0+YXV0
b2ZsdXNoKCk7DQpwcmludCAiMjIwICI7DQpwcmludCAiWCJ4NDQwMDsNCnBy
aW50ICJcbiI7DQpzbGVlcCAxMDA7DQo=
---559023410-851401618-911263879=:29955--
