From owner-freebsd-security Mon Oct 2 16:43:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 96AE537B503; Mon, 2 Oct 2000 16:43:23 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id RAA11320; Mon, 2 Oct 2000 17:43:17 -0600 (MDT) Message-Id: <4.3.2.7.2.20001002173916.046c16f0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 02 Oct 2000 17:43:10 -0600 To: Kris Kennaway From: Brett Glass Subject: Re: ftpd bug in FreeBSD through at least 3.4 Cc: Alex Charalabidis , "Chris D . Faulhaber" , security@FreeBSD.org In-Reply-To: <20001002143917.B22329@freefall.freebsd.org> References: <4.3.2.7.2.20001002125825.00de8f00@localhost> <4.3.2.7.2.20001002123113.049344d0@localhost> <4.3.2.7.2.20001002125825.00de8f00@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 03:39 PM 10/2/2000, Kris Kennaway wrote: >No, I think your client is expanding the %s locally and sending the >junk to the server. Kris: I think you may be right here! The client may also be expanding the %s on the way BACK from the server. If this is the case, it is more serious because it means that a malicious server might be able to take over the client. I am checking to see if there are holes in the server, too. So far, when I send the same strings to the server using good ol' Telnet the server seems to respond pretty much correctly. There are still some minor server glitches: Some error messages are sent twice instead of once, the command is always changed to all uppercase up to the first whitespace and then echoed back with this modification, and trailing whitespace at the ends of commands is not ignored. But while these things could use fixing, none of them are exploitable. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message