nftp-bof.txt

`  
Date: Mon, 16 Nov 1998 18:02:43 -0700  
Reply-To: Eric Wanner <[email protected]>  
Sender: Bugtraq List <[email protected]>  
From: Eric Wanner <[email protected]>  
Subject: nftp vulnerability (fwd)  
Content-Type:MULTIPART/MIXED;  
  
nftp is a shareware ftp program available at  
ftp://crydee.sai.msu.su/pub/comp/software/asv/nftp/ that is  
becoming more and more widely used.  
  
Cause: nftp incorrectly handles strings returned by the server.  
  
Tested: tested on version 1.40 linux-libc5 by sending 220 and 4400 X's  
followed by a \n (didn't work without the \n because it didn't get  
processed). 4400 was a random number, it has nothing to do with the  
exploitability of this program.  
  
Vulnerability: It appears to be an internal buffer that is being  
overfilled, but I do not have the source code, so I cannot tell. If it is  
an internal buffer, it may be possible to execute arbitrary code on the  
connecting computer, but they have to connect to the server, and they must  
be running this ftp proram.  
  
Fix: I do not have the source code so I can't create a patch =).  
  
It seems that too much trust is being put on the servers these days.  
  
I have included a sample crash. Put it in your inetd if you want to see  
for yourself.  
  
Creator Notified: The creator was notified shortly before sending this  
report.  
  
Fix available: not yet.  
  
--  
  
Eric Wanner  
Head Systems Administrator  
FutureOne, Inc.  
602-385-3379  
http://home.futureone.com  
EfNet: holobyte  
Personal Email: [email protected]  
  
  
IyEvdXNyL2Jpbi9wZXJsDQp1c2UgSU86OkhhbmRsZTsNCnN0ZG91dC0+YXV0  
b2ZsdXNoKCk7DQpwcmludCAiMjIwICI7DQpwcmludCAiWCJ4NDQwMDsNCnBy  
aW50ICJcbiI7DQpzbGVlcCAxMDA7DQo=  
`