Dailydave mailing list archives
ProFTPD bug
From: "Evgeny Legerov" <admin () gleg net>
Date: Tue, 07 Feb 2006 10:13:23 +0300
Hi, Did you ever read ProFTPD NEWS file? Sometimes this file may reveal rather interesting info. From proftpd-1.3.0rc3/NEWS: 1.3.0rc2 - Released 24-Jul-2005 -------------------------------- ...- Bug 2658 - Segfault in mod_radius when using long password.
The above sounds interesting, but 1.3.x is a development version of ProFTPD and as it usually happens, it might possible that the bug still exists in stable 1.2.10 version.
From proftpd-1.2.10/contrib/mod_radius.c:static void radius_add_passwd(radius_packet_t *packet, unsigned char type,
const char *passwd, char *secret) { MD5_CTX ctx, secret_ctx; radius_attrib_t *attrib = NULL; unsigned char calculated[RADIUS_VECTOR_LEN]; char pwhash[256 + RADIUS_PASSWD_LEN]; size_t pwlen = strlen(passwd); char *digest = NULL; register unsigned int i = 0; if (pwlen == 0) { pwlen = RADIUS_PASSWD_LEN; } if ((pwlen & (RADIUS_PASSWD_LEN - 1)) != 0) { /* Round up the length. */ pwlen += (RADIUS_PASSWD_LEN - 1); /* Truncate the length, as necessary. */ pwlen &= ~(RADIUS_PASSWD_LEN - 1); } /* Clear the buffers. */ memset(pwhash, '\0', pwlen); [1] memcpy(pwhash, passwd, pwlen); .../* For each step through: e[i] = p[i] ^ MD5(secret + e[i-1]) */
[2] for (i = 1; i < (pwlen >> 4); i++) { /* Start with the old value of the MD5 sum. */ ctx = secret_ctx;MD5Update(&ctx, &pwhash[(i-1) * RADIUS_PASSWD_LEN], RADIUS_PASSWD_LEN);
/* Set the calculated digest. */ MD5Final(calculated, &ctx); /* XOR the results. */radius_xor(&pwhash[i * RADIUS_PASSWD_LEN], calculated, RADIUS_PASSWD_LEN);
} }The code on line #1 looks like a classic stack overflow bug, but because of loop #2 I am not sure weather it is exploitable at all.
Regards, -evgeny
Current thread:
- ProFTPD bug Evgeny Legerov (Feb 07)