COMMAND

    nftp

SYSTEMS AFFECTED

    Those running nftp

PROBLEM

    Eric Wanner  found following.   nftp is  a shareware  ftp  program
    available at

        ftp://crydee.sai.msu.su/pub/comp/software/asv/nftp/

    that is  becoming more  and more  widely used.   nftp  incorrectly
    handles  strings  returned  by  the  server.  This  was  tested on
    version 1.40 linux-libc5 by sending  220 and 4400 X's followed  by
    a \n (didn't work without the \n because it didn't get processed).
    4400  was  a  random  number,  it  has  nothing  to  do  with  the
    exploitability of this program.

    It appears to be an internal buffer that is being overfilled.   If
    it is an internal buffer, it may be possible to execute  arbitrary
    code on the connecting computer,  but they have to connect  to the
    server, and  they must  be running  this ftp  proram.   Below is a
    sample  crash.   Put  it  in  your  inetd  if  you want to see for
    yourself.  Exploit code:

        #!/usr/bin/perl
        use IO::Handle;
        stdout->autoflush();
        print "220 ";
        print "X"x4400;
        print "\n";
        sleep 100;

SOLUTION

    The creator was notified.