[29092] in bugtraq
ftp.exe anf tftp.exe buffer overflows
daemon@ATHENA.MIT.EDU (Max)
Fri Feb 28 12:09:17 2003
Date: Thu, 27 Feb 2003 16:43:21 -0800 (PST)
From: Max <rusmir@tula.net>
To: bugtraq@securityfocus.com
Message-ID: <Pine.LNX.4.50.0302271635400.29357-100000@sds.disney.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello there,
ftp.exe and tftp.exe both have the same problem with unchecked hostname length.
Description:
ftp.exe and tftp.exe do not check the length of hostname parameter before
passing it to gethostbyname(). This makes possible to crash them by providing
a long enough (~550+ bytes) hostname string.
According to Microsoft:
(http://msdn.microsoft.com/library/en-us/winsock/winsock/gethostbyname_2.asp)
"The gethostbyname function does not check the size of the name parameter
before passing the buffer. In improperly sized name parameters,
heap corruption can occur."
Although it is sort of strange behaviour, it is documented.
A good advice for MS developers is to read function description before using it.
Both problems tested on up-to-date W2KPro.
Thanks,
Max.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+XrCw8mCpXsrcXpwRAvrCAKDrQ9HALqCl3w1F23xsEEgAD4is9ACg7uHC
c5aVcrLBTzJ0/o4WJXsLVnM=
=20xF
-----END PGP SIGNATURE-----
