From owner-freebsd-security Mon Oct 2 12:43:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from fyre.somcol.co.za (fyre.somcol.co.za [196.30.167.130]) by hub.freebsd.org (Postfix) with ESMTP id 7BF6A37B503 for ; Mon, 2 Oct 2000 12:43:17 -0700 (PDT) Received: from localhost (jus@localhost) by fyre.somcol.co.za (8.9.3/8.9.3) with ESMTP id VAA60664; Mon, 2 Oct 2000 21:42:27 +0200 (SAST) (envelope-from jus@security.za.net) X-Authentication-Warning: fyre.somcol.co.za: jus owned process doing -bs Date: Mon, 2 Oct 2000 21:42:27 +0200 (SAST) From: Justin Stanford X-Sender: jus@fyre.somcol.co.za To: Brett Glass Cc: Alex Charalabidis , "Chris D . Faulhaber" , security@FreeBSD.ORG Subject: Re: ftpd bug in FreeBSD through at least 3.4 In-Reply-To: <4.3.2.7.2.20001002125825.00de8f00@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I tried using ncftp2 to eradicate any bugs in 'ftp' that may be obscuring problems with 'ftpd'. >=20 > ftp> quote %s%s%s%s%s > 500 '+H|X++_YX++|=B6QUOTE %s%s%s%s%s(null)%s%s%s%s%s': command not unders= tood. Same response. > quote %s%s%s%s%s '%S%S%S%S%S': command not understood. > Now, let's send a command with more %s format directives to the server: >=20 > ftp> quote %s%s%s%s%s%s%s%s%s%s > (Nothing) >=20 > The ftpd process on the server is alive but seems to be hung parsing the = command. > So, something is amiss, but to what extent it is exploitable I can't tell= =2E > It DOES happen even in 4.1, though. > quote %s%s%s%s%s%s%s%s%s%s '%S%S%S%S%S%S%S%S%S%S': command not understood. Not so here.. a perfectly normal response. This is ftp'ing to localhost on 4.0-STABLE... I can then proceed normally with ftp'ing aswell - the server does not hang. Regards, jus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message