Bugtraq mailing list archives
atftpd bug
From: gz <techieone () softhome net>
Date: Fri, 6 Jun 2003 22:35:52 +0200
Hello, sorry for my poor english. After the mail of Rick Patel about atftpd on vuln-dev ml http://www.securityfocus.com/archive/82/323886/2003-06-02/2003-06-08/0 I investigated a little the bug and found in tftpd_file.c (line 320) int tftpd_send_file(struct thread_data *data) { ... char filename[MAXLEN]; /* VAL_SIZE = MAXLEN = 256 */ char string[MAXLEN]; ... /* Fetch the file name */ /* If the filename starts with the directory, allow it */ if (strncmp(directory, data->tftp_options[OPT_FILENAME].value, strlen(directory)) == 0) strncpy(filename, data->tftp_options[OPT_FILENAME].value,VAL_SIZE); else { strcpy(filename, directory); strncat(filename, data->tftp_options[OPT_FILENAME].value,VAL_SIZE); } ... } It's strange that Authors use strcpy here because in the same piece of code from the function tftpd_receive_file() they use strncpy(), however overflow occurs in strncat() infact you can patch your atftpd just writing strncat(filename, data->tftp_options[OPT_FILENAME].value, VAL_SIZE - strlen( directory )); instead of the previous strncat(s). Attached is a little patch and a PoC exploit ( I decided to publish it cause atftpd is not so widespread, the bug is know and you can patch your system easily, just do 'patch < atftpd.patch' in the source directory ). I didn't investigate other bugs in the atftpd code, patch applies to version 0.6 shipped with Debian Woody. -- _ ASCII ribbon campaign ( ) www.eff.org - against HTML email X GPG key : pgp.mit.edu & vCards / \ <techieone () softhome net>
Attachment:
atftpd.patch
Description:
Attachment:
atftpdx.c
Description:
Current thread:
- atftpd bug gz (Jun 06)