Bugtraq mailing list archives
Wu_ftpd all versions (not) vulnerability.
From: Adam Zabrocki <pi3ki31ny () wp pl>
Date: 22 Sep 2003 12:44:16 -0000
I. Entry. (Not) Vuln are all version deamons wu_ftp; not in default installation. When we use option where deamon send e-mail with name of uploaded files, deamon use function store() and next SockPrintf(). II. Vulnerability details. Vulnerability function is SockPrintf(). There is buffer overflow bug (remote), when function use vsprintf(): "in file src/ftpd.c" int SockPrintf(FILE *sockfp, char *format,...) { va_list ap; char buf[32768]; va_start(ap, format); vsprintf(buf, format, ap); va_end(ap); return SockWrite(buf, 1, strlen(buf), sockfp); } Buf is char array (32768). Argument *format is used by vsprintf. Now look to function store(): "in file src/ftpd.c" void store(char *name, char *mode, int unique) { ... ... #ifdef MAIL_ADMIN ... ... SockPrintf(sck, "From: wu-ftpd <%s>\r\n", mailfrom); SockPrintf(sck, "Subject: New file uploaded: %s\r\n\r\n", name); ... SockPrintf(sck, "%s uploaded %s from %s.\r\nFile size is %d.\r\n Please move the file where it belongs.\r\n",guestpw, pathname, remotehost, byte_count); ... #endif /* MAIL_ADMIN */ ... ... } In this function we have control with argument name and in theory we can do remote overflow by call: SockPrintf(sck, "Subject: New file uploaded: %s\r\n\r\n", name); ... but in the system (linux) is restriction for path_name = 4095 and in this example we should build minimum path_name = 32778 :-) (Shall it is possibly to bypass it?) III. Exploit. Nah :-) Read second section :P -- pi3 (piekielny / pi3ki31ny) - pi3ki31ny () wp pl http://www.pi3.int.pl "Fuck the system - FTS" "Kochaj mamusie i przyjaciol :D"
Current thread:
- Wu_ftpd all versions (not) vulnerability. Adam Zabrocki (Sep 22)
- <Possible follow-ups>
- Re: Wu_ftpd all versions (not) vulnerability. Marcin Ulikowski (Sep 23)