Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: wuftpd 2.6.1 -- example of bad coding

From: Iván Arce <core.lists.bugtraq () CORE-SDI COM>
Date: Mon, 8 Jan 2001 20:35:19 -0300
Hello,
 I fail to understand why these vulnerabilities are NOT
 exploitable, could you elaborate a bit on that?
-ivan

----- Original Message -----
From: "Przemyslaw Frasunek" <venglin () FREEBSD LUBLIN PL>
Newsgroups: core.lists.bugtraq
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Monday, January 08, 2001 4:12 PM
Subject: wuftpd 2.6.1 -- example of bad coding



Hello,

There are two non-exploitable format string bugs in wuftpd 2.6.1.

ftpd.c:6272

    if (debug) {
        char *s = calloc(128 + strlen(remoteident), sizeof(char));
        if (s) {
            int i = ntohs(pasv_addr.sin_port);
            sprintf(s, "PASV port %i assigned to %s", i, remoteident);
/* here */  syslog(LOG_DEBUG, s);
            free(s);
        }
    }

ftpd.c:6288

    if (debug) {
        char *s = calloc(128 + strlen(remoteident), sizeof(char));
        if (s) {
            sprintf(s, "PASV port assignment assigned for %s",

remoteident);

/* here */  syslog(LOG_DEBUG, s);
            free(s);
        }
    }

Example:

riget:venglin:~> tail -n1 /etc/hosts
212.182.115.2           riget%p%p%p%p%p%p%p%p%p%p.scene.pl riget
riget:venglin:~> tail -n2 /var/log/debug
Jan  8 14:28:03 riget ftpd[53990]: command: pasv^M
Jan  8 14:28:03 riget ftpd[53990]: PASV port 17355 assigned to

riget0xbfbff1640x80536440x807c2000x8066c210x43cb0x80791000xe0x5c0x960x280850
00.scene.pl [212.182.115.2]

---

"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 Its nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce


==================[ CORE Seguridad de la Informacion S.A. ]=========
Iván Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
email   : iarce () core-sdi com
http://www.core-sdi.com
Florida 141 2do cuerpo Piso 7
C1005AAG Buenos Aires, Argentina.
Tel/Fax : +(54-11) 4331-5402
=====================================================================





--- For a personal reply use iarce () core-sdi com
Previous By Date Next
Previous By Thread Next

Current thread: