NetTerm-NetFTPD 4.2.2 suffers from multiple buffer overflows that can cause a denial of service against the server and possibly execute arbitrary commands.
5a306efd007be6e93b46a57ca18e8723f5dbb426b9df29199030f5864f8bfe0dNetTerm-NetFTPD 4.2.2 Multiple Vulnerabilities
Release Date:
15-7,2003
Description:
The Netftpd main window has two complete explorer style frames that can contain either a local file system and/or a remote file system. A tabbed output window at the bottom contains areas for detailed FTP messages, extended host directory information, file transfer data and a real time DUMeter for graphical file transfer speed displays.The Security Manager maintains the security parameters required by SFTP (SSH) and FTPS (SSL) style hosts. Certificates can be utilized by both SFTP and FTPS for user authentication, as well as the popular encrypted password authentication.
The NetFTPD 4.2.2 is vulnerable to multiple buffer overflow. By sending a large buffer containing executable code and a new Instruction Pointer, an attacker is able to gain remote system shell access to the vulnerable server.
(1)
The attack:
C:\>telnet www.example.com 21
Connecting To www.example.com... connected.
220 NetTerm FTP server ready
user [buffer]
(enter)
(enter)
Where (buffer) is 1110 characters.
Moreover there is also a very big number of buffer oveflows like this.Try....
Cwd [A] * 518
List [A] * 518
Stu [A] * 518
Port [A] * 1110
Type [A] * 1110
Mkd [A] * 1110
Rmd [A] * 1110
Dele [A] * 1110
If you send any of these command above the NetFtpd will crash:>
(2)
Furthermore, i found another attack. If you send to the ftp daemon about 1024 characters anytime it will crash.(You don't need to login for this attack.).If you want to test it i have write
a sample tool.Download it from here: http://members.lycos.co.uk/r34ct/main/godzillaDosTool/
Exploit:
I have not had time yet to produce a proof of concept exploit, however expect one soon.
Disclaimer:
The author(s) does(do) not have any responsibility for any malicious
use of this advisory or proof of concept code. The code and the
information provided here are for educational purposes only.
The author(s) will NOT be held responsible for any direct or
indirect damages caused by the information or the code
provided here.
Vendor Status:
Not responding
Credit:
Dr_insane
Feedback
Please send suggestions, updates, and comments to:
Dr_insane
http://members.lycos.co.uk/r34ct/
dr_insane@pathfinder.gr
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed