>>> (this came from a bugtraq posting by 3APA3A@SECURITY.NNOV.RU) >>> >>> On Thu, Jun 20, 2002 at 02:00:51PM +0400, 3APA3A wrote: >>> >>>> >>>> 3. There was also report by DocSoft <docsoft at mail.ru> on >>>> buffer >>>> overflow in some older version of ncftpd on Solaris , but I was >>>> not >>>> able to reproduce it at least on demo version of ncftpd >= 2.5.0 >>>> under >>>> FreeBSD, so it was bounced. Overflow is on FTP DELE command >>>> with >>>> buffer > 256 bytes. Feel free to contact DocSoft if you can >>>> confirm >>>> vulnerability. I can't read Russian, but I am guessing that DocSoft is making a similar incorrect conclusion to what the older versions of the Nessus scanner used to do. Below is a snippet from the page http://hackcastle.hut.ru/p_bugs.htm, which contains some cyrillic characters, so it may not be legible, but: Бага в NcFTPd Server [author: DocSoft] Посмотреть Реализация DoS-атаки на FTP I do see "DoS" so I assume that the DocSoft is concluding that sending a very long "DELE AAAA...AAA" is causing NcFTPd to exit because the connection is abruptly closed. Often when a server process abruptly closes the connection it means that the server process has crashed, resulting in (a minimum) of a denial-of-service. However, NcFTPd has code to detect clients looking for buffer overflows, and when it detects a client attempting one, NcFTPd forcefully disconnects the user. Older versions used to simply boot them off with no message, but that was changed so that it sends back an FTP "550" response first, _then_ it disconnects them. Long story short: sending "DELE " followed by a huge number of characters does not cause any version of NcFTPd Server to crash or overflow an internal buffer. Mike Gleason NcFTP Software http://www.NcFTP.com
