[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030606203552.GA1361@notexists.org>
Date: Fri, 6 Jun 2003 22:35:52 +0200
From: gz <techieone@...thome.net>
To: bugtraq@...urityfocus.com
Subject: atftpd bug
Hello,
sorry for my poor english.
After the mail of Rick Patel about atftpd on vuln-dev ml
http://www.securityfocus.com/archive/82/323886/2003-06-02/2003-06-08/0
I investigated a little the bug and found in
tftpd_file.c (line 320)
int tftpd_send_file(struct thread_data *data)
{
...
char filename[MAXLEN]; /* VAL_SIZE = MAXLEN = 256 */
char string[MAXLEN];
...
/* Fetch the file name */
/* If the filename starts with the directory, allow it */
if (strncmp(directory, data->tftp_options[OPT_FILENAME].value,
strlen(directory)) == 0)
strncpy(filename, data->tftp_options[OPT_FILENAME].value,VAL_SIZE);
else
{
strcpy(filename, directory);
strncat(filename, data->tftp_options[OPT_FILENAME].value,VAL_SIZE);
}
...
}
It's strange that Authors use strcpy here because in the same piece of code
from the function tftpd_receive_file() they use strncpy(), however
overflow occurs in strncat() infact you can patch your atftpd just writing
strncat(filename, data->tftp_options[OPT_FILENAME].value,
VAL_SIZE - strlen( directory ));
instead of the previous strncat(s).
Attached is a little patch and a PoC exploit
( I decided to publish it cause atftpd is not so widespread,
the bug is know and you can patch your system easily, just do
'patch < atftpd.patch' in the source directory ).
I didn't investigate other bugs in the atftpd code, patch applies to
version 0.6 shipped with Debian Woody.
--
_
ASCII ribbon campaign ( ) www.eff.org
- against HTML email X GPG key : pgp.mit.edu
& vCards / \ <techieone@...thome.net>
View attachment "atftpd.patch" of type "text/plain" (442 bytes)
View attachment "atftpdx.c" of type "text/x-csrc" (10176 bytes)
Powered by blists - more mailing lists