Date: Mon, 16 Nov 1998 18:02:43 -0700 Reply-To: Eric Wanner Sender: Bugtraq List From: Eric Wanner Subject: nftp vulnerability (fwd) Content-Type:MULTIPART/MIXED; nftp is a shareware ftp program available at ftp://crydee.sai.msu.su/pub/comp/software/asv/nftp/ that is becoming more and more widely used. Cause: nftp incorrectly handles strings returned by the server. Tested: tested on version 1.40 linux-libc5 by sending 220 and 4400 X's followed by a \n (didn't work without the \n because it didn't get processed). 4400 was a random number, it has nothing to do with the exploitability of this program. Vulnerability: It appears to be an internal buffer that is being overfilled, but I do not have the source code, so I cannot tell. If it is an internal buffer, it may be possible to execute arbitrary code on the connecting computer, but they have to connect to the server, and they must be running this ftp proram. Fix: I do not have the source code so I can't create a patch =). It seems that too much trust is being put on the servers these days. I have included a sample crash. Put it in your inetd if you want to see for yourself. Creator Notified: The creator was notified shortly before sending this report. Fix available: not yet. -- Eric Wanner Head Systems Administrator FutureOne, Inc. 602-385-3379 http://home.futureone.com EfNet: holobyte Personal Email: holobyte@holobyte.org IyEvdXNyL2Jpbi9wZXJsDQp1c2UgSU86OkhhbmRsZTsNCnN0ZG91dC0+YXV0 b2ZsdXNoKCk7DQpwcmludCAiMjIwICI7DQpwcmludCAiWCJ4NDQwMDsNCnBy aW50ICJcbiI7DQpzbGVlcCAxMDA7DQo=