Alun Jones wrote: > In response to Luck Martins' report of a buffer overflow in > WFTPD 2.40 and 2.34, we can confirm that this error does > exist. Our initial tests suggest that it is more of i guess we will have to wait for the 'final tests' then... > > a 'denial-of-service' nature, rather than an exploit > allowing an attacker to load their own code into memory - > the access that generates the fault is overwriting a single > null byte into heap space, rather than stack space. > This is incorrect, [EMAIL PROTECTED] wrote an exploit for 2.34 that overwrites the stack and provides a remote shell with the only constraint of having ftp access on the vulnerable box. It uses the MKD overflow and exploits WFTPD on winNT 4.0 SP[3-4], win95 and win98. The exploit will be posted to bugtraq by him in a few minutes. So the above is obviously: a) a flawed attempt to minimize the impact of the hole based on marketroid strategies related to the term 'damage control' b) a technical mistake made in the rush of checking the existence or note of the hole. I'd be very happy to think option b) is what happened, i wonder how many tests are needed when you have the source code of the buggy program tho. I dont mean to be picky but i've seen a) happend a lot more than b) > > We've been working on this problem over the weekend, > coinciding as it has with our intent to release a new > version, 2.41, early this week. We are completing > regression testing and beta testing and will be releasing > the new version later today. > > Alun Jones > President, Texas Imperial Software. Alberto Soliņo, the person at CORE that wrote the exploit, also identified another remotely exploitable buffer overflow that does not require ftp access. since your next release will attempt to cover the security holes found it would be good to also fix this, you may contact [EMAIL PROTECTED] for the details. -ivan ------------------------------------------------------------------- Ivan Arce Presidente CORE SDI S.A. Buenos Aires, Argentina http://www.core-sdi.com TE: +54-11-4331-5402 ------------------------------------------------------------------- --- For a personal reply use [EMAIL PROTECTED]