Bugtraq mailing list archives
Re: proftp advisory
From: drow () FALSE ORG (Daniel Jacobowitz)
Date: Wed, 5 Jul 2000 15:27:27 -0700
On Mon, Jul 03, 2000 at 12:40:54PM +0200, lamagra wrote:
Bug1: void set_proc_title(char *fmt,...) in src/main.c <snippet> memset(statbuf, 0, sizeof(statbuf)); vsnprintf(statbuf, sizeof(statbuf), fmt, msg); #ifdef HAVE_SETPROCTITLE setproctitle(statbuf); #endif /* HAVE_SETPROCTITLE */ </snippet> setproctitle, defined setproctitle(char *fmt,...);, calls vsnprintf(). This makes it vulnerable for formatattacks. By carefully outlining the attackbuffer it's possible to gain root priviledges. Fix: use setproctitle("%s",statbuf);
Note that this is a problem only if you have a setproctitle() in libc (or libutil). Linux does not (glibc 2.x), and I don't believe Solaris does either. Dan /--------------------------------\ /--------------------------------\ | Daniel Jacobowitz |__| SCS Class of 2002 | | Debian GNU/Linux Developer __ Carnegie Mellon University | | dan () debian org | | dmj+ () andrew cmu edu | \--------------------------------/ \--------------------------------/ <HR NOSHADE> <UL> <LI>application/pgp-signature attachment: stored </UL>
Current thread:
- BitchX - more on format bugs?, (continued)
- BitchX - more on format bugs? Forever shall I be. (Jul 03)
- BitchX exploit possibly waiting to happen, certain DoS bert hubert (Jul 03)
- Re: BitchX exploit possibly waiting to happen, certain DoS Daniel Jacobowitz (Jul 05)
- remote crash BitchX 1.0c16 Colten Edwards (Jul 03)
- Re: remote crash BitchX 1.0c16 Moniz, Troy (Jul 05)
- Oracle Web Listener for AIX DoS Peter Grundl (Jul 04)
- Remote DoS Attack in LocalWEB HTTP Server 1.2.0 Vulnerability Ussr Labs (Jul 04)
- Recovering Passwords in Visible Systems' Razor Clifford, Shawn A (Jul 05)
- proftp advisory lamagra (Jul 05)
- Re: proftp advisory Max Vision (Jul 05)
- Re: proftp advisory Daniel Jacobowitz (Jul 05)
- Secure IRC Fabio Pietrosanti (Jul 06)
- Re: WuFTPD: Providing *remote* root since at least1994 Sebastian (Jul 01)
- Re: WuFTPD: Providing *remote* root since at least1994 Lamagra Argamal (Jul 01)
- Re: WuFTPD: Providing *remote* root since at least1994 Przemyslaw Frasunek (Jul 01)
- Re: WuFTPD: Providing *remote* root since at least1994 Vitaliy Andrusevich (Jul 04)