[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Re: War-ftpd bug small addition

To: <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: [Full-Disclosure] Re: War-ftpd bug small addition
From: "Berend-Jan Wever" <skylined@xxxxxxxxxxxxxxx>
Date: Sat, 29 Jan 2005 01:29:56 +0100

This is (obviously) a format string vulnerability. (Un)fortunately war-ftpd.exe 
has it's own implementation of printf-functions that doesn't support "%n" -> No 
arbitrary overwrites.
The formatstring and destination string are on the heap and the destination is 
dynamically allocated --> no buffer overflows.
All in all: no code execution.

Vulnerabilities:
Commands such as "USER %9999999999d%9999999999d%999999999999d" will consume a 
lot of CPU and memory, thus causing a DoS on the system and not just War-ftpd. 
(Maybe Secunia want to update their rating again.)
Commands such as "USER %s%s%s%s%s....%s%s" are bound to run into a dword that 
doesn't point to allocated memory, thus causing a DoS on War-ftpd itself.

To exploit this format string vuln, the target War-ftpd.exe needs to run as a 
service since it resides in one of the logging functions that it only uses when 
running as a service.

Cheers,

SkyLined

Berend-Jan Wever <skylined@xxxxxxxxxxxxxxx>
TTP: http://www.edup.tudelft.nl/~bjwever
MSN: skylined@xxxxxxxxxxxxxxx
IRC: SkyLined in #SkyLined on EFNET
PGP: key ID 0x48479882

----- Original Message ----- 
From: "class 101" <class101@xxxxxxxxxxxxx>
To: <full-disclosure@xxxxxxxxxxxxxxxx>
Sent: Friday, January 28, 2005 18:58
Subject: [Full-Disclosure] War-ftpd bug small addition


To fix the buggus advisory spreaded everywhere saying that you need to be 
authenticated, It's false Mc.Iglo ;)

USER %s*115AAAAA
PASS blahblah

http://secunia.com/advisories/14054/

-------------------------------------------------------------
class101
Jr. Researcher
Hat-Squad.com
-------------------------------------------------------------



--------------------------------------------------------------------------------


> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] War-ftpd bug small addition
  - From: class 101

Prev by Date: RE: [Full-Disclosure] ICMP Covert channels question
Next by Date: Re: [Full-Disclosure] C Code Analyzer
Previous by thread: [Full-Disclosure] War-ftpd bug small addition
Next by thread: [Full-Disclosure] [gentoo-announce] [ GLSA 200501-40 ] ngIRCd: Buffer overflow
Index(es):
- Date
- Thread