[20402] in bugtraq
Re: WFTPD "Pro" 3.0 R4 Buffer Overflow
daemon@ATHENA.MIT.EDU (Alun Jones)
Tue Apr 24 15:56:19 2001
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Message-ID: <4.3.2.7.2.20010423140140.01942650@mail.io.com>
Date: Mon, 23 Apr 2001 14:44:55 -0500
Reply-To: Alun Jones <alun@TEXIS.COM>
From: Alun Jones <alun@TEXIS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010422162000S.lbudney-lists-bugtraq@nb.net>
At 03:20 PM 4/22/2001, Len Budney wrote:
>WFTP is the Win/NT FTP server by Alun Jones
Incorrect. WFTP was a short-lived FTP _client_, by someone else
entirely. _WFTPD_ is the Windows (all versions) FTP server by Texas
Imperial Software.
>The latest version of WFTPD is vulnerable to a buffer overflow in the
>RETR and CWD commands. The overflow can be used to completely disable
>the FTP server, and can probably be exploited to run arbitrary code
>on the server host.
Again, incorrect. The buffer overflow claimed here, and its accompanying
"exploit" code posted by Mr Budney, are not effective against WFTPD or
WFTPD Pro in any form. A normal FTP error response is given, and the
server continues in its operation. Needless to say, anyone who, like Mr
Budney, is unwilling to take the word of a vendor, is welcome to download
and try our software against this reported vulnerability. We would welcome
any corrections.
>This problem was already reported for version 3.0 R1 on March 3, 2001
>[1], and the author claimed that he had "fixed" the overflow. What he
>apparently did was make the buffers bigger; now instead of ~500 characters
>overflowing the buffer, it takes ~32K instead.
Again, incorrect. The author _did_ fix the overflow, and what the author
_actually_ did, rather than any surmise in Mr Budney's mind, was to check
the size of input string against local buffers, and either dynamically
re-size the buffers, trim the string, or ignore the command
altogether. While no author can claim that his code is entirely free from
bugs, _this_ vulnerability is not an issue with current versions of WFTPD
and WFTPD Pro. Particularly, a CWD or RETR command with 32k of argument
does _not_ cause WFTPD or WFTPD Pro to crash, hang, or otherwise
misbehave. I have myself tested this against a command line with a million
characters without any apparent adverse effects.
Rather ironically, given ongoing discussion on vendor notification in
comp.security.unix, Mr Budney could have saved himself the embarrassment of
having filed such a poorly-researched bug report had he contacted the
vendors of WFTPD before posting to Bugtraq.
Alun Jones
President, Texas Imperial Software
--
Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place | http://www.wftpd.com or email alun@texis.com
Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to
Fax/Voice +1(512)378-3246 | read details of WFTPD Pro for NT.
