NcFTPd remote buffer overflow

    From: Julien Nadeau <sw3wn@CSOFT.NET>
 Subject: NcFTPd remote buffer overflow
    Date: Tue, 23 Feb 1999 12:37:49 -0400
      To: BUGTRAQ@netspace.org
Reply-To: Julien Nadeau <sw3wn@CSOFT.NET>

Proof of Concept - Security Advisory                        02/23/99
http://poc.csoft.net                                     Released by
poc@csoft.net                                    sw3wn@poc.csoft.net

---     

Affected Program        NcFTPd <http://www.ncftp.com>
Description             FTP server (commercial)
Severity                Theoretical root compromise, logs compromise


Synopsis:

NcFTPd is a commercial FTP (File Transfer Protocol) server, in the
NcFTP product line.  The source code is not publicly released.  This
was tested on Linux with libc5 (there's a glibc2 specific version 
available).

Problem:

NcFTPd's PORT parsing function has a stack buffer overflow
problem, which would basically allow a user to remotely execute 
arbitrary code - the thing here is that the PORT parsing function
seem to change characters, that are not in the range 0x30-0x39
(ASCII '0'-'9'), into 0x20 (ASCII space), hence making an exploit 
almost impossible (note that, if ascii 0x40 would be allowed that
would be a different story =p).

The program only parses for characters out of the 0-9 range in a
specific area in memory (the one that contains return address heh)
- the rest is kept unchanged, and you can't really go further in
memory, input line size is restricted.

However, since NcFTPd does not come with source code, I'm not sure.
Like with most buffer overflows there are probably work-arounds to
exploit it - this could have been a particulary neat exploit, since
it runs as a child and one could gain access transparently without 
crashing the parent. 

The current bug is not really a problem, it can crash the child process 
with a segfault, the parent process receives a signal 6 (abort) and the 
child process stay zombie for a few seconds and a brand new one is
created.
A few minor DoS attacks are possible but, who cares.  Oh and this could
be      
used to not get listed in the logs too.

Example:

--      
evil:$ nc victim ftp
220 victim NcFTPd Server (unregistered copy) ready.
user anonymous
331 Guest login ok, send your complete e-mail address as password.
pass some@thing
230-You are user #1 of 50 simultaneous users allowed.
230-    
230 Logged in anonymously.
port 00000000000000000000000000000000000000000000 (...)
501 Syntax error in parameters.
evil:$  
--      

Status: 

I couldn't come up with a patch, since the source code doesn't 
come with NcFTPd.  I contacted the authors about the bug.