The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[email protected] list issue: NcFTPd


<< Previous INDEX Search src Set bookmark Go to bookmark Next >> 
Date: Thu, 20 Jun 2002 17:53:23 -0500
From: Mike Gleason <[email protected]>
To: [email protected]
Subject: [email protected] list issue: NcFTPd

>>>  (this came from a bugtraq posting by [email protected])
>>>
>>> On Thu, Jun 20, 2002 at 02:00:51PM +0400, 3APA3A wrote:
>>>
>>>>
>>>>   3.  There  was  also  report by DocSoft <docsoft at mail.ru> on 
>>>> buffer
>>>>   overflow  in  some  older version of ncftpd on Solaris , but I was 
>>>> not
>>>>   able to reproduce it at least on demo version of ncftpd >= 2.5.0 
>>>> under
>>>>   FreeBSD,  so  it  was  bounced.  Overflow  is on FTP DELE command 
>>>> with
>>>>   buffer  >  256  bytes. Feel free to contact DocSoft if you can 
>>>> confirm
>>>>   vulnerability.


I can't read Russian, but I am guessing that DocSoft is making a similar 
incorrect conclusion to what the older versions of the Nessus scanner 
used to do.  Below is a snippet from the page 
http://hackcastle.hut.ru/p_bugs.htm, which contains some cyrillic 
characters, so it may not be legible, but:

    $B'"'Q'T'Q(B $B'S(B NcFTPd Server [author: DocSoft]
    $B'1'`'c'^'`'d'b'V'd'n(B
    $B'2'V'Q']'Z'Y'Q'h'Z'q(B DoS-$B'Q'd'Q'\'Z(B $B'_'Q(B FTP

I do see "DoS" so I assume that the DocSoft is concluding that sending a 
very long "DELE AAAA...AAA" is causing NcFTPd to exit because the 
connection is abruptly closed.  Often when a server process abruptly 
closes the connection it means that the server process has crashed, 
resulting in (a minimum) of a denial-of-service.

However, NcFTPd has code to detect clients looking for buffer overflows, 
and when it detects a client attempting one, NcFTPd forcefully 
disconnects the user.  Older versions used to simply boot them off with 
no message, but that was changed so that it sends back an FTP "550" 
response first, _then_ it disconnects them.

Long story short: sending "DELE " followed by a huge number of 
characters does not cause any version of NcFTPd Server to crash or 
overflow an internal buffer.

Mike Gleason
NcFTP Software
http://www.NcFTP.com

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру