[fuzzing] When Ax1024 isn?t enough

[Disco Jonny]

> Recently, h07 published a vulnerability in Easy File Sharing FTP
> Server. Apparently a simple buffer overflow in the PASS command. This
> vulnerability is a nice example where fuzzing won't cut it.

christ, someone needs a clue.

with 2 stage fuzzing (yeah not even proper reactive fuzzing) you would
know that the comma would throw the code into a different state from
the start.

> A fuzzer will usually take a legal FTP session, and will try to overflow
> interesting sections. The password field is a prime candidate, but the
> problem is, if you test for a simple overflow you'll just send many 'A'
> characters or something similar. This is because fuzzers tend to look for
> the coin under the street-light.

This is not a fuzzer this a very limited buffer length checker.  and
yeah that probably wont find it and if it did it would have to have
been from heuristics

> This is not done due
> to programmer lazyness, this is due to the sheer amount of possibilities
> to check.

dont they teach maths and computer science anymore? I actually think
this is down to programmers incompetence, and not actually
understanding the task the are trying to write a program to automate.

This is very very common problem with programmers.

>FTP is a relatively simple protocol, but with vendor extensions
> it has dozens of commands. Checking every command for vulnerabilities
> could take a long time, and with network considirations we're talking
> weeks and months of continous bombardment on the target server.

riiiiiiiiiiiiiiiight.  if you have 1 server and 1 test pc. yeah,
maybe.  anyone who tests like that though will need a lot more help
than a fuzzer.  I see no mention of actually calculating the input
space, just that it might take a long time to test..

anyway i guess i better stop, I guess people just dont want to understand.

cheers,

dj.