[13699] in bugtraq
Re: war-ftpd 1.6x DoS
daemon@ATHENA.MIT.EDU (Jarle Aase)
Thu Feb 3 17:14:05 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <NCBBIJAIBDGCMNAHBHJPIEMLFHAA.jgaa@jgaa.com>
Date: Thu, 3 Feb 2000 08:41:34 +0100
Reply-To: Jarle Aase <jgaa@JGAA.COM>
From: Jarle Aase <jgaa@JGAA.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <38969236225.C3BFCRC@mail.sft.sega.co.jp>
Content-Transfer-Encoding: 8bit
I can confirm that version 1.6* have a problem, as described in the initial report.
Until now, the command parser in War FTP Daemon 1.6* has allowed commands up to 8 KB in size. To prevent this, and other buffer-overflow problems, this size is decreased to (MAX_PATH + 8), and an additional check is added that prevents any command argument to exceed MAX_PATH in length.
A new version, 1.67-4 has been released with this modification. See http://war.jgaa.com/alert/ for download details.
Jarle Aase
> -----Original Message-----
> From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]On Behalf Of
> Toshimi Makino
> Sent: Tuesday, February 01, 2000 8:59 AM
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: war-ftpd 1.6x DoS
>
>
> Hello,
>
>
> "war-ftpd" is very popular ftp server for Windows95/98/NT.
> I found DoS problem to "war-ftpd 1.6x" recently.
>
>
> Outline:
> It seems to occur because the bound check of the command of MKD/CWD
> that uses it is imperfect when this problem controls the directory.
>
> However, could not hijack the control of EIP so as long as I test.
> It is because not able to overwrite the RET address,
> because it seems to be checking buffer total capacity properly
> in 1.66x4 and later.
>
> The boundary of Access Violation breaks out among 8182 bytes
> from 533 bytes neighborhood although it differs by the thread
> that receives attack.
>
>
> The version that is confirming this vulnerable point is as follows.
> 1.66x4s, 1.67-3
>
>
> The version that this vulnerable point was not found is as follows.
> 1.71-0
[...]
