warftpd exploit?

Type securityvulns
Reporter Securityvulns
Modified 2000-05-17T00:00:00


WarFTPd 1.66 - 1.67 can be crashed due to an un-checked buffer for the CWD command, as this DoS exploit by eth0 from b0f shows. Now, it seems that the ret address can't be overwritten (so it is probably a dynamic buffer, and therefore a heap or data overflow)... I've seen some heap overflows against ftp servers that store the ret address in the PASS command of an anonymous login (since that's allocated on the stack).. does anyone think it is possible to actually exploit warftpd with a similar technique (I'm not sure if this is a heap overflow... sorry for incorrect assumptions, but I'm not a win32 debugger :)


mixter@newyorkoffice.com http://1337.tsx.org