NetTerm-NetFTPD 4.2.2 Multiple Vulnerabilities


Release Date:
15-7,2003


Description:
	The Netftpd main window has two complete explorer style frames that can contain either a local file system and/or a remote file system. A tabbed output window at the bottom contains areas for detailed FTP messages, extended host directory information, file transfer data and a real time DUMeter for graphical file transfer speed displays.The Security Manager maintains the security parameters required by SFTP (SSH) and FTPS (SSL) style hosts. Certificates can be utilized by both SFTP and FTPS for user authentication, as well as the popular encrypted password authentication.

The NetFTPD 4.2.2  is vulnerable to multiple buffer overflow. By sending a large buffer containing executable code and a new Instruction Pointer, an attacker is able to gain remote system shell access to the vulnerable server.

(1)

The attack:

C:\>telnet www.example.com 21
Connecting To www.example.com... connected.
220 NetTerm FTP server ready
user [buffer]
(enter)
(enter)

Where (buffer) is 1110 characters.

Moreover there is also a very big number of buffer oveflows like this.Try....

Cwd [A] * 518

List [A] * 518

Stu [A] * 518

Port [A] * 1110

Type [A] * 1110

Mkd [A] * 1110

Rmd [A] * 1110

Dele [A] * 1110

If you send any of these command above the NetFtpd will crash:>


(2)

Furthermore, i found another attack. If you send to the ftp daemon about 1024 characters anytime it will crash.(You don't need to login for this attack.).If you want to test it i have write
a sample tool.Download it from here: http://members.lycos.co.uk/r34ct/main/godzillaDosTool/


 Exploit:
I have not had time yet to produce a proof of concept exploit, however expect one soon.


Disclaimer:
The author(s) does(do) not have any responsibility for any malicious
use of this advisory or proof of concept code. The code and the
information provided here are for educational purposes only.
The author(s) will NOT be held responsible for any direct or 
indirect damages caused by the information or the code
provided here.

Vendor Status:
Not responding


Credit:
Dr_insane


Feedback
Please send suggestions, updates, and comments to:

Dr_insane
http://members.lycos.co.uk/r34ct/
dr_insane@pathfinder.gr