Bugtraq mailing list archives

wuftpd 2.6.1 -- example of bad coding

From: Przemyslaw Frasunek <venglin () FREEBSD LUBLIN PL>
Date: Mon, 8 Jan 2001 16:10:41 +0100

Hello,

There are two non-exploitable format string bugs in wuftpd 2.6.1.

ftpd.c:6272

    if (debug) {
        char *s = calloc(128 + strlen(remoteident), sizeof(char));
        if (s) {
            int i = ntohs(pasv_addr.sin_port);
            sprintf(s, "PASV port %i assigned to %s", i, remoteident);
/* here */  syslog(LOG_DEBUG, s);
            free(s);
        }
    }

ftpd.c:6288

    if (debug) {
        char *s = calloc(128 + strlen(remoteident), sizeof(char));
        if (s) {
            sprintf(s, "PASV port assignment assigned for %s", remoteident);
/* here */  syslog(LOG_DEBUG, s);
            free(s);
        }
    }

Example:

riget:venglin:~> tail -n1 /etc/hosts
212.182.115.2           riget%p%p%p%p%p%p%p%p%p%p.scene.pl riget
riget:venglin:~> tail -n2 /var/log/debug
Jan  8 14:28:03 riget ftpd[53990]: command: pasv^M
Jan  8 14:28:03 riget ftpd[53990]: PASV port 17355 assigned to 
riget0xbfbff1640x80536440x807c2000x8066c210x43cb0x80791000xe0x5c0x960x28085000.scene.pl [212.182.115.2]

--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw () frasunek com ** PGP: D48684904685DF43EA93AFA13BE170BF *

Current thread:

wuftpd 2.6.1 -- example of bad coding Przemyslaw Frasunek (Jan 08)
- Re: wuftpd 2.6.1 -- example of bad coding Gregory A Lundberg (Jan 08)
- Re: wuftpd 2.6.1 -- example of bad coding Iván Arce (Jan 09)