COMMAND

    ftpd

SYSTEMS AFFECTED

    HPUX

PROBLEM

    Przemyslaw Frasunek found following.  He has discovered HPUX  ftpd
    remote vulnerability.   The problem  persists in  using vsprintf()
    without format string.  Example:

        220 xxx FTP server (Version 1.7.212.2 Tue Apr 21 12:14:46 GMT 1998) ready.
        user ftp
        331 Guest login ok, send ident as password.
        pass %.1030d
        230 Guest login ok, access restrictions apply.
        Connection closed by foreign host.
        
        Ftpd segfaulted here. Let's try with smaller value:
        
        220 xxx FTP server (Version 1.7.212.2 Tue Apr 21 12:14:46 GMT 1998) ready.
        user ftp
        331 Guest login ok, send ident as password.
        pass %.1024d
        230 Guest login ok, access restrictions apply.
        quit
        221 Goodbye.
        Connection closed by foreign host.

    It works now.  So, password buffer is 1024 bytes long.  No problem
    with exploiting this, by sending such format string:

        <shellcode>%.<len>d<ret>

    Przemyslaw has almost  working exploit, but  will not to  post it,
    until patches will be available.

SOLUTION

    HP Security Team is notified.