The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


NcFTPd remote buffer overflow


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Tue, 23 Feb 1999 12:37:49 -0400
From: Julien Nadeau <[email protected]>
To: [email protected]
Subject: NcFTPd remote buffer overflow

Proof of Concept - Security Advisory                        02/23/99
http://poc.csoft.net                                     Released by
[email protected]                                    [email protected]

---

Affected Program        NcFTPd <http://www.ncftp.com>;
Description             FTP server (commercial)
Severity                Theoretical root compromise, logs compromise


Synopsis:

NcFTPd is a commercial FTP (File Transfer Protocol) server, in the
NcFTP product line.  The source code is not publicly released.  This
was tested on Linux with libc5 (there's a glibc2 specific version
available).

Problem:

NcFTPd's PORT parsing function has a stack buffer overflow
problem, which would basically allow a user to remotely execute
arbitrary code - the thing here is that the PORT parsing function
seem to change characters, that are not in the range 0x30-0x39
(ASCII '0'-'9'), into 0x20 (ASCII space), hence making an exploit
almost impossible (note that, if ascii 0x40 would be allowed that
would be a different story =p).

The program only parses for characters out of the 0-9 range in a
specific area in memory (the one that contains return address heh)
- the rest is kept unchanged, and you can't really go further in
memory, input line size is restricted.

However, since NcFTPd does not come with source code, I'm not sure.
Like with most buffer overflows there are probably work-arounds to
exploit it - this could have been a particulary neat exploit, since
it runs as a child and one could gain access transparently without
crashing the parent.

The current bug is not really a problem, it can crash the child process
with a segfault, the parent process receives a signal 6 (abort) and the
child process stay zombie for a few seconds and a brand new one is
created.
A few minor DoS attacks are possible but, who cares.  Oh and this could
be
used to not get listed in the logs too.

Example:

--
evil:$ nc victim ftp
220 victim NcFTPd Server (unregistered copy) ready.
user anonymous
331 Guest login ok, send your complete e-mail address as password.
pass some@thing
230-You are user #1 of 50 simultaneous users allowed.
230-
230 Logged in anonymously.
port 00000000000000000000000000000000000000000000 (...)
501 Syntax error in parameters.
evil:$
--

Status:

I couldn't come up with a patch, since the source code doesn't
come with NcFTPd.  I contacted the authors about the bug.

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру