Meteor FTP Server v1.5 Buffer Overflow

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Meteor FTP Server v1.5 Buffer Overflow
From: Auston J <Anix44@xxxxxxxxx>
Date: 23 May 2005 16:14:37 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


The overflow is triggered once a series of commands have been issued with 
specific criteria. In theory, using the USER command followed by a large amount 
of data will result in memory corruption as we have seen previously. However, 
if the PASS and PORT command are also issued with the right arguments, the 
memory corruption may be re-aligned to create a buffer overflow.

Psuedo Exploitation...

USER (A x 80) (Following 4 Bytes = New Return Point)
PASS 0wn3r
PORT 127,0,0,1,18,12 (Must be same as connecting IP)

At this point the server hangs. If the connection were manually disconnected, 
or left to time out on it's own (5 minutes by default), the violation will be 
thrown.

Prev by Date: Format string and crash in Warrior Kings 1.3 and Battles 1.23
Next by Date: [ GLSA 200505-17 ] Qpopper: Multiple Vulnerabilities
Previous by thread: Format string and crash in Warrior Kings 1.3 and Battles 1.23
Next by thread: [ GLSA 200505-17 ] Qpopper: Multiple Vulnerabilities
Index(es):
- Date
- Thread