Re: Buffer overflow in Microsoft ftp.exe

On Wed, 2003-04-30 at 03:34, aT4r InsaN3 wrote:
> There is a Buffer overflow in the raw quote command in the Microsoft Windows

Yes, they are, or at least were. A couple years ago we came across a buffer overflow in the ftp client. If you use the ftp.exe client to log into an FTP server with a user name >2048 or so, and the server is not a Microsoft FTP server (used AIX in the test), the ftp client will crash when the server echo back the long user name.

(sorry, I'm pulling this from memory. I tossed my notes together with Windows a couple years ago ;)

For example:
C:> ftp test.host
220 test.host
Name: somethingprettylongbutnottoolonghere 331 user somethingprettylongbutnottoolonghere not found

C:> ftp test.host
Name: somethingverylong+A * 1024 or 2048 331 user somethingverylongAAAA...(up to buffer size, then a pop up Window with the EIP error...)

If you enter an invalid user name, at some point the server is gonna echo that user name back to the ftp client. If the user name is too long, the long echo will overflow the ftp client. The reason this doesn't work against a Microsoft FTP server is that the MS server will truncate long user names to prevent buffer overflows. Too bad MS didn't apply the same idea to the client. An FTP server that echos back a long user name can overflow the client. It was overwriting EIP which means that you could execute code, albeit in the context of the user executing the ftp client.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Since we couldn't come up with a credible scenario to exploit this remotely, were short on time, and I myself was getting fed up with MS security anyway, this issue was filed away and forgotten. But I'm sure MS addressed this issue when they sent their programmers to security boot camp or at least when they started code reviews/audits....

Regards,
Frank