Dailydave mailing list archives
ProFTPD bug
From: "Evgeny Legerov" <admin () gleg net>
Date: Tue, 07 Feb 2006 10:13:23 +0300
Hi, Did you ever read ProFTPD NEWS file? Sometimes this file may reveal rather interesting info. From proftpd-1.3.0rc3/NEWS: 1.3.0rc2 - Released 24-Jul-2005 -------------------------------- ...- Bug 2658 - Segfault in mod_radius when using long password.
The above sounds interesting, but 1.3.x is a development version of ProFTPD and as it usually happens, it might possible that the bug still exists in stable 1.2.10 version.
From proftpd-1.2.10/contrib/mod_radius.c:static void radius_add_passwd(radius_packet_t *packet, unsigned char type,
const char *passwd, char *secret) {
MD5_CTX ctx, secret_ctx;
radius_attrib_t *attrib = NULL;
unsigned char calculated[RADIUS_VECTOR_LEN];
char pwhash[256 + RADIUS_PASSWD_LEN];
size_t pwlen = strlen(passwd);
char *digest = NULL;
register unsigned int i = 0;
if (pwlen == 0) {
pwlen = RADIUS_PASSWD_LEN;
} if ((pwlen & (RADIUS_PASSWD_LEN - 1)) != 0) {
/* Round up the length. */
pwlen += (RADIUS_PASSWD_LEN - 1);
/* Truncate the length, as necessary. */
pwlen &= ~(RADIUS_PASSWD_LEN - 1);
}
/* Clear the buffers. */
memset(pwhash, '\0', pwlen);
[1] memcpy(pwhash, passwd, pwlen);
...
/* For each step through: e[i] = p[i] ^ MD5(secret +
e[i-1]) */
[2] for (i = 1; i < (pwlen >> 4); i++) {
/* Start with the old value of the MD5 sum. */
ctx = secret_ctx;
MD5Update(&ctx, &pwhash[(i-1) * RADIUS_PASSWD_LEN],
RADIUS_PASSWD_LEN);
/* Set the calculated digest. */
MD5Final(calculated, &ctx);
/* XOR the results. */
radius_xor(&pwhash[i * RADIUS_PASSWD_LEN],
calculated, RADIUS_PASSWD_LEN);
} }The code on line #1 looks like a classic stack overflow bug, but because of loop #2 I am not sure weather it is exploitable at all.
Regards, -evgeny
Current thread:
- ProFTPD bug Evgeny Legerov (Feb 07)