[20214] in bugtraq
QPC FTPd Directory Traversal and BoF Vulnerabilities
daemon@ATHENA.MIT.EDU (SNS Research)
Mon Apr 16 03:19:13 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <1087262172.20010413211317@greyhack.com>
Date: Fri, 13 Apr 2001 21:13:17 +0200
Reply-To: SNS Research <vuln-dev@greyhack.com>
From: SNS Research <vuln-dev@greyhack.com>
To: BUGTRAQ@SECURITYFOCUS.COM
Strumpf Noir Society Advisories
! Public release !
<--#
-= QPC FTPd Directory Traversal and BoF Vulnerabilities =-
Release date: Saturday, April 14, 2001
Introduction:
QPC's ftpd is the ftp server component of the company's QVT/NET
and QVT/Term software suites for MS Windows.
The ftpd and the rest of the QVT/Net and QVT/Term product lines
is available from vendor QPC's website: http://www.qpc.com
Problem(s):
Directory Traversal Vulnerability
The ftpd daemon that ships with above mentioned packages is
vulnerable to a directory traversal problem. Adding '../'
(''s excluded) to a listing request ('ls') any user can gain
read access to other directories than his/her own.
Remote Buffer Overflow Vulnerability
The ftpd daemon that ships with mentioned packages contains an
unchecked buffer in the logon function. When a username or
password of 655 bytes or more gets fed to the server the buffer
will overflow and will trigger an access violation, after which
the server dies.
(..)
Solution:
Vendor QPC was notified but has yet to respond.
This was tested against QVT/Net Ftpd 4.3, coming with the
QVT/Net 5.0 and QVT/Term 5.0 suites, running on MS Win2k.
yadayadayada
Free sk8! (http://www.freesk8.org)
SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html)
compliant, all information is provided on AS IS basis.
EOF, but Strumpf Noir Society will return!
