warftpd exploit?

2000-05-17T00:00:00
ID SECURITYVULNS:DOC:203
Type securityvulns
Reporter Securityvulns
Modified 2000-05-17T00:00:00

Description

WarFTPd 1.66 - 1.67 can be crashed due to an un-checked buffer for the CWD command, as this DoS exploit by eth0 from b0f shows. Now, it seems that the ret address can't be overwritten (so it is probably a dynamic buffer, and therefore a heap or data overflow)... I've seen some heap overflows against ftp servers that store the ret address in the PASS command of an anonymous login (since that's allocated on the stack).. does anyone think it is possible to actually exploit warftpd with a similar technique (I'm not sure if this is a heap overflow... sorry for incorrect assumptions, but I'm not a win32 debugger :)

-Mixter


mixter@newyorkoffice.com http://1337.tsx.org