[12419] in bugtraq
Re: WFTPD v2.40 FTPServer remotely exploitable buffer overflow
daemon@ATHENA.MIT.EDU (Alun Jones)
Wed Nov 3 15:28:05 1999
Message-Id: <19991102203910.20924.qmail@securityfocus.com>
Date: Tue, 2 Nov 1999 20:39:10 -0000
Reply-To: Alun Jones <alun@TEXIS.COM>
From: Alun Jones <alun@TEXIS.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <NCBBKFKDOLAGKIAPMILPOEFBCAAA.luck@ussrback.com>
In response to Luck Martins' report of a buffer overflow in
WFTPD 2.40 and 2.34, we can confirm that this error does
exist. Our initial tests suggest that it is more of
a 'denial-of-service' nature, rather than an exploit
allowing an attacker to load their own code into memory -
the access that generates the fault is overwriting a single
null byte into heap space, rather than stack space.
We've been working on this problem over the weekend,
coinciding as it has with our intent to release a new
version, 2.41, early this week. We are completing
regression testing and beta testing and will be releasing
the new version later today.
Alun Jones
President, Texas Imperial Software.
