Bugtraq mailing list archives

atftpd bug

From: gz <techieone () softhome net>
Date: Fri, 6 Jun 2003 22:35:52 +0200

Hello,
sorry for my poor english.

After the mail of Rick Patel about atftpd on vuln-dev ml

http://www.securityfocus.com/archive/82/323886/2003-06-02/2003-06-08/0

I investigated a little  the bug and found in 

tftpd_file.c (line 320)

int tftpd_send_file(struct thread_data *data)
{
...
     char filename[MAXLEN];     /* VAL_SIZE = MAXLEN = 256 */
     char string[MAXLEN];
...
     /* Fetch the file name */
     /* If the filename starts with the directory, allow it */
     if (strncmp(directory, data->tftp_options[OPT_FILENAME].value,
                 strlen(directory)) == 0)
          strncpy(filename, data->tftp_options[OPT_FILENAME].value,VAL_SIZE);
     else
     {
          strcpy(filename, directory);
          strncat(filename, data->tftp_options[OPT_FILENAME].value,VAL_SIZE);
     }
...
}

It's strange that Authors use strcpy here because in the same piece of code
from the function tftpd_receive_file() they use strncpy(), however
overflow occurs in strncat() infact you can patch your atftpd just writing

          strncat(filename, data->tftp_options[OPT_FILENAME].value,
                        VAL_SIZE - strlen( directory ));

instead of the previous strncat(s).

Attached is a little patch and a PoC exploit 
( I decided to publish it cause atftpd is not so widespread, 
the bug is know and you can patch your system easily, just do 
 'patch < atftpd.patch' in the source directory ). 

I didn't investigate other bugs in the atftpd code, patch applies to 
version 0.6 shipped with Debian Woody.

-- 
                        _
ASCII ribbon campaign  ( )              www.eff.org
 - against HTML email   X          GPG key : pgp.mit.edu
             & vCards  / \        <techieone () softhome net>

Attachment: atftpd.patch
Description:

Attachment: atftpdx.c
Description:

Current thread:

atftpd bug gz (Jun 06)