I can confirm that version 1.6* have a problem, as described in the initial report.
Until now, the command parser in War FTP Daemon 1.6* has allowed commands up to 8 KB
in size. To prevent this, and other buffer-overflow problems, this size is decreased
to (MAX_PATH + 8), and an additional check is added that prevents any command argument
to exceed MAX_PATH in length.
A new version, 1.67-4 has been released with this modification. See
http://war.jgaa.com/alert/ for download details.
Jarle Aase
> -----Original Message-----
> From: Bugtraq List [mailto:[EMAIL PROTECTED]]On Behalf Of
> Toshimi Makino
> Sent: Tuesday, February 01, 2000 8:59 AM
> To: [EMAIL PROTECTED]
> Subject: war-ftpd 1.6x DoS
>
>
> Hello,
>
>
> "war-ftpd" is very popular ftp server for Windows95/98/NT.
> I found DoS problem to "war-ftpd 1.6x" recently.
>
>
> Outline:
> It seems to occur because the bound check of the command of MKD/CWD
> that uses it is imperfect when this problem controls the directory.
>
> However, could not hijack the control of EIP so as long as I test.
> It is because not able to overwrite the RET address,
> because it seems to be checking buffer total capacity properly
> in 1.66x4 and later.
>
> The boundary of Access Violation breaks out among 8182 bytes
> from 533 bytes neighborhood although it differs by the thread
> that receives attack.
>
>
> The version that is confirming this vulnerable point is as follows.
> 1.66x4s, 1.67-3
>
>
> The version that this vulnerable point was not found is as follows.
> 1.71-0
[...]
