[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-Disclosure] Re: War-ftpd bug small addition
From: "Berend-Jan Wever" <skylined () edup ! tudelft ! nl>
Date: 2005-01-29 0:29:56
Message-ID: 000901c5064b$a57354c0$0100a8c0 () grotedoos
[Download RAW message or body]
This is (obviously) a format string vulnerability. (Un)fortunately war-ftpd.exe has it's own \
implementation of printf-functions that doesn't support "%n" -> No arbitrary overwrites. The \
formatstring and destination string are on the heap and the destination is dynamically \
allocated --> no buffer overflows. All in all: no code execution.
Vulnerabilities:
Commands such as "USER %9999999999d%9999999999d%999999999999d" will consume a lot of CPU and \
memory, thus causing a DoS on the system and not just War-ftpd. (Maybe Secunia want to update \
their rating again.) Commands such as "USER %s%s%s%s%s....%s%s" are bound to run into a dword \
that doesn't point to allocated memory, thus causing a DoS on War-ftpd itself.
To exploit this format string vuln, the target War-ftpd.exe needs to run as a service since it \
resides in one of the logging functions that it only uses when running as a service.
Cheers,
SkyLined
Berend-Jan Wever <skylined@edup.tudelft.nl>
TTP: http://www.edup.tudelft.nl/~bjwever
MSN: skylined@edup.tudelft.nl
IRC: SkyLined in #SkyLined on EFNET
PGP: key ID 0x48479882
----- Original Message -----
From: "class 101" <class101@hat-squad.com>
To: <full-disclosure@lists.netsys.com>
Sent: Friday, January 28, 2005 18:58
Subject: [Full-Disclosure] War-ftpd bug small addition
To fix the buggus advisory spreaded everywhere saying that you need to be authenticated, It's \
false Mc.Iglo ;)
USER %s*115AAAAA
PASS blahblah
http://secunia.com/advisories/14054/
-------------------------------------------------------------
class101
Jr. Researcher
Hat-Squad.com
-------------------------------------------------------------
--------------------------------------------------------------------------------
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic