Bugtraq mailing list archives
proftp advisory
From: lamagra () DIGIBEL ORG (lamagra)
Date: Wed Jul 5 16:47:16 2000
___________________________________________________ http://lamagra.seKure.de: advisory #1 Advisory: misc. bugs Programname: proftpd Versions: 1.2.0 <= pre10 Vendor: proftpd.net Severity: high (root shell) and low Contact: lamagra () digibel org Bug1: void set_proc_title(char *fmt,...) in src/main.c <snippet> memset(statbuf, 0, sizeof(statbuf)); vsnprintf(statbuf, sizeof(statbuf), fmt, msg); #ifdef HAVE_SETPROCTITLE setproctitle(statbuf); #endif /* HAVE_SETPROCTITLE */ </snippet> setproctitle, defined setproctitle(char *fmt,...);, calls vsnprintf(). This makes it vulnerable for formatattacks. By carefully outlining the attackbuffer it's possible to gain root priviledges. Fix: use setproctitle("%s",statbuf); Bug2: MODRET pam_auth(cmd_rec *cmd) in modules/mod_pam.c <snippet> /* Allocate our entries...we don't free this because PAM does this for us. */ pam_user = malloc(strlen(cmd->argv[0]) + 1); if(pam_user == (char *)0) return pam_return_type ? ERROR(cmd) : DECLINED(cmd); sstrncpy(pam_user, cmd->argv[0], strlen(cmd->argv[0]) + 1); pam_pass = malloc(strlen(cmd->argv[1]) + 1); if(pam_pass == (char *)0) return pam_return_type ? ERROR(cmd) : DECLINED(cmd); sstrncpy(pam_pass, cmd->argv[1], strlen(cmd->argv[1]) + 1); </snippet> PAM doesn't do it for you though. Which leaves a nice memoryleak. But since USER/PASS is limited to 3 tries and user changing isn't supported. This can't be used as a Denial of service attack against proftpd, unless the administartor sets a different (higher) limit. Fix: pstrdup() or just use cmd->argv[0] and cmd->argv[1]. Bug3: void logformat(char *nickname, char *fmts) doesn't check boundaries on it's local variable 'format'. As a result custom logformats could overflow the buffer. Just a really small thingie :) Could cause some problems though. Bug3: int dolist(cmd_rec *cmd, const char *opt, int clearflags) in modules/mod_ls.c <snippet> char pbuffer[MAXPATHLEN]; if(*arg == '~') { struct passwd *pw; int i; const char *p; i = 0; p = arg; p++; while(*p && *p != '/') pbuffer[i++] = *p++; pbuffer[i] = '\0'; </snippet> This function gets called by cmd_stat, with 'arg' being the argument of STAT. This looks really bad and ugly. But isn't really exploitable since the input buffer is only 1024 bytes. But it's still insecure programming. Copyright 2000-2001 lamagra.seKure.de
Current thread:
- Re: WuFTPD: Providing *remote* root since at least1994, (continued)
- Re: WuFTPD: Providing *remote* root since at least1994 Kragen Sitaker (Jun 30)
- XFree86 4.0.1 and /tmp Joseph S. Myers (Jul 02)
- BitchX - more on format bugs? Forever shall I be. (Jul 03)
- BitchX exploit possibly waiting to happen, certain DoS bert hubert (Jul 03)
- Re: BitchX exploit possibly waiting to happen, certain DoS Daniel Jacobowitz (Jul 05)
- remote crash BitchX 1.0c16 Colten Edwards (Jul 03)
- Re: remote crash BitchX 1.0c16 Moniz, Troy (Jul 05)
- Oracle Web Listener for AIX DoS Peter Grundl (Jul 04)
- Remote DoS Attack in LocalWEB HTTP Server 1.2.0 Vulnerability Ussr Labs (Jul 04)
- Recovering Passwords in Visible Systems' Razor Clifford, Shawn A (Jul 05)
- proftp advisory lamagra (Jul 05)
- Re: proftp advisory Max Vision (Jul 05)
- Re: proftp advisory Daniel Jacobowitz (Jul 05)
- Secure IRC Fabio Pietrosanti (Jul 06)
- Re: WuFTPD: Providing *remote* root since at least1994 Sebastian (Jul 01)
- Re: WuFTPD: Providing *remote* root since at least1994 Lamagra Argamal (Jul 01)
- Re: WuFTPD: Providing *remote* root since at least1994 Przemyslaw Frasunek (Jul 01)
- Re: WuFTPD: Providing *remote* root since at least1994 Vitaliy Andrusevich (Jul 04)