|
 
| |
Support - Bug Pages
GPFs and other crashes
Click here to learn more about GPFs - what they are, and
how to report them.
GPFs in current versions:
[We are currently unaware of any GPFs in the current
released version of WFTPD or
WFTPD Pro]
Fixed in WFTPD and WFTPD Pro 3.25 (2006/11/30):
 | crash in incorrect passwords - WFTPD and WFTPD
Pro crash with an incorrect password over eight characters in length. Not
exploitable. |
| crash in debug mode - in debug mode (which
isn't shipped by default, and is only used to trace errors), it's possible
to overflow the message buffer by one null character. Not exploitable. |
| stack overflow in command processing - it is
possible to exploit a race condition and buffer size limit in command
processing to cause a stack overflow. May lead to remote execution of code. |
Fixed in WFTPD Pro 3.21 R3 (2004/03/16):
| crash in CPL applet - WFTPD Pro's Control
Panel applet can be crashed while monitoring a long command. |
Fixed in WFTPD Pro 3.21 R2 (2004/02/29):
| 'ls' options overflow - WFTPD and WFTPD Pro
use the Unix format for file listings, because this is what most clients
expect. Unfortunately, because of this expectation, some clients
actually demand that the server implements all the features of the Unix 'ls'
command, including the options that can be passed to it. Due to a
programming error on our part, an attacker could cause a GPF - and possibly
exploit the server - by sending too long an option string in a directory
listing request. |
| 'djo' overflow -
this bug applies only to users who have installed WFTPD Pro Server as part
of the Xerox Digipath software. An attacker could logon to the server
as a Xerox Docutech user, and create a long directory, which would overflow
a buffer. |
Fixed in WFTPD Pro 3.10 R2:
| SSL / TLS GPF - when transferring files over 64KB in size, the
encrypted data would overflow the buffer, causing a GPF. It is
thoroughly unlikely that this could ever be exploited, because the
negotiation of keys would make the encrypted data essentially random, but it
is nonetheless a bug that demanded to be fixed. If you use SSL / TLS
at all, you should upgrade to WFTPD Pro 3.10 R2 or later. |
Fixed in WFTPD / WFTPD Pro 3.00 R5:
| NT4.0 Overflows - WFTPD and WFTPD Pro both trigger an overflow in
the Windows NT 4.0 operating system, when a long file name is
supplied. We have released WFTPD and WFTPD Pro 3.00 R5 to
"side-step" the particular behaviour that seems to cause this bug
- but without further debugging the operating system, we cannot be entirely
sure that it will not show up somewhere else. Please let us know if
the new version behaves improperly. |
Not reproducible:
| Windows 9x / WS2_32.DLL - we have received a few reports of a GPF in
WS2_32.DLL, while running
WFTPD on Windows 95 and 98. In each case, the cause could not be traced back
to WFTPD, and a removal and reinstallation of the Windows networking
subsystem prevented further occurrences. It is possible that some
rogue program has managed to corrupt some of Windows' Winsock
stack. We are currently unable to reproduce this in house. We
have had six reports of this error, and all six were fixed immediately after
removing and reinstalling the Winsock stack. |
Fixed in WFTPD Pro 3.00 R3:
| So secure you can't even log in - the Windows Security Model
implementation concealed a rather subtle bug that, in some systems, caused a
GPF whenever a user tried to log on. Again, not a buffer overflow, and
as far as we can tell, cannot be used to execute arbitrary code. |
| Long path-names - with a long path-name specified to certain
commands, the check to see if the path-name contains a device name may crash
with a GPF. |
Fixed in 2.41 RC14:
| Bye-bye - under certain circumstances of aggressive memory
protection, a user that is timed out could cause a GPF as he is removed from
the system. This is not a buffer overflow, and cannot be used to
execute arbitrary code. |
Fixed in 2.41 RC13:
| Why would anyone do that? - If a user sends a long stream of
characters in the ASCII range 128-255, they can cause WFTPD and WFTPD Pro to
overrun the command buffer, causing a GPF. You'll never guess who
discovered this one. Yep, Blue Panda again. If this carries on,
we may have to start sending him food parcels. |
Fixed in 2.41 RC12:
| Devices and desires - Windows 9x has a bug where it crashes badly
if you try to access a file "device\device" (even trying to type
it in a DOS window is going to cause you problems), where 'device' is any
MS-DOS device. In our filtering of device names, we missed some that
were not documented by Microsoft. We now filter device names better,
and offer the more technical user a registry setting or INI file entry that
can be used to add further device names. [discovered by Blue Panda] |
| MLST crash - if the new MLST command is enabled, executing it prior
to logging in can cause a GPF. [discovered by Blue Panda] |
| A change is as good as a REST - When restoring uploads, you first
tell the server what byte to restart from, and then start the upload.
If the restart count is larger than the current size of the file, or you are
attempting to 'resume' an upload of a file that doesn't exist on your
server, the server crashes, rather than telling you off. [discovered
by Blue Panda, who needs to either get a life or go hack on some of our
competitors' products :-)] |
Fixed in 2.41 RC11:
| Panda-monium - a GPF bug (reported by "Blue Panda" -
thanks!) could allow a remote user to crash WFTPD or WFTPD Pro in all
versions prior to 2.41 RC11. The bug can be reproduced by sending a
"RNTO" command without a preceding "RNFR" - as implied
by the heading, installing version 2.41 RC11 will negate this problem. |
Fixed in 2.41 RC9:
| 16-bit failure - the 16-bit version of WFTPD may GPF on trying to
provide a listing of files - this affects directory listings and "mget"
multiple gets. |
Older GPFs:
| GPFs fixed in RC7 - a couple of GPFs were reported in RC6 and
predecessors, and more potential GPFs were found by code inspection.
When stopping WFTPD Pro, it might GPF; when security is disabled, WFTPD or
WFTPD Pro might GPF; if a client connects and disconnects before its name is
resolved through DNS, WFTPD or WFTPD Pro might GPF; and if a socket handle
over 64k was returned by the operating system, WFTPD or WFTPD Pro might GPF.
Status: 2.41 RC7 and above fix all these problems. |
| Buffer overflow - versions 2.34 and 2.40 of WFTPD and WFTPD Pro can
be crashed by a remote user sending a sequence of over-long commands, as
reported in November 1999 in bugtraq and NTSecurity.Net (and possibly at other
sites).
Status: Fixed in WFTPD and WFTPD Pro 2.41. |
|
