lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030606203552.GA1361@notexists.org>
Date: Fri, 6 Jun 2003 22:35:52 +0200
From: gz <techieone@...thome.net>
To: bugtraq@...urityfocus.com
Subject: atftpd bug

Hello,
sorry for my poor english.

After the mail of Rick Patel about atftpd on vuln-dev ml

http://www.securityfocus.com/archive/82/323886/2003-06-02/2003-06-08/0

I investigated a little  the bug and found in 

tftpd_file.c (line 320)

int tftpd_send_file(struct thread_data *data)
{
...
     char filename[MAXLEN];	/* VAL_SIZE = MAXLEN = 256 */
     char string[MAXLEN];
...
     /* Fetch the file name */
     /* If the filename starts with the directory, allow it */
     if (strncmp(directory, data->tftp_options[OPT_FILENAME].value,
                 strlen(directory)) == 0)
          strncpy(filename, data->tftp_options[OPT_FILENAME].value,VAL_SIZE);
     else
     {
          strcpy(filename, directory);
          strncat(filename, data->tftp_options[OPT_FILENAME].value,VAL_SIZE);
     }
...
}

It's strange that Authors use strcpy here because in the same piece of code
from the function tftpd_receive_file() they use strncpy(), however
overflow occurs in strncat() infact you can patch your atftpd just writing

          strncat(filename, data->tftp_options[OPT_FILENAME].value,
                        VAL_SIZE - strlen( directory ));

instead of the previous strncat(s).

Attached is a little patch and a PoC exploit 
( I decided to publish it cause atftpd is not so widespread, 
the bug is know and you can patch your system easily, just do 
 'patch < atftpd.patch' in the source directory ). 

I didn't investigate other bugs in the atftpd code, patch applies to 
version 0.6 shipped with Debian Woody.

-- 
                        _
ASCII ribbon campaign  ( )              www.eff.org
 - against HTML email   X          GPG key : pgp.mit.edu
             & vCards  / \        <techieone@...thome.net>

View attachment "atftpd.patch" of type "text/plain" (442 bytes)

View attachment "atftpdx.c" of type "text/x-csrc" (10176 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ