[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030922124416.31517.qmail@sf-www1-symnsj.securityfocus.com>
Date: 22 Sep 2003 12:44:16 -0000
From: Adam Zabrocki <pi3ki31ny@...pl>
To: bugtraq@...urityfocus.com
Subject: Wu_ftpd all versions (not) vulnerability.
I. Entry.
(Not) Vuln are all version deamons wu_ftp; not in default installation.
When we use option where deamon send e-mail with name of uploaded files,
deamon use function store() and next SockPrintf().
II. Vulnerability details.
Vulnerability function is SockPrintf(). There is buffer
overflow bug (remote), when function use vsprintf():
"in file src/ftpd.c"
int SockPrintf(FILE *sockfp, char *format,...)
{
va_list ap;
char buf[32768];
va_start(ap, format);
vsprintf(buf, format, ap);
va_end(ap);
return SockWrite(buf, 1, strlen(buf), sockfp);
}
Buf is char array (32768). Argument *format is used by vsprintf.
Now look to function store():
"in file src/ftpd.c"
void store(char *name, char *mode, int unique)
{
...
...
#ifdef MAIL_ADMIN
...
...
SockPrintf(sck, "From: wu-ftpd <%s>\r\n", mailfrom);
SockPrintf(sck, "Subject: New file uploaded: %s\r\n\r\n", name);
...
SockPrintf(sck, "%s uploaded %s from %s.\r\nFile size is %d.\r\n
Please move the file where it belongs.\r\n",guestpw, pathname, remotehost, byte_count);
...
#endif /* MAIL_ADMIN */
...
...
}
In this function we have control with argument name and in theory we can do remote overflow by call:
SockPrintf(sck, "Subject: New file uploaded: %s\r\n\r\n", name);
... but in the system (linux) is restriction for path_name = 4095 and in this example we should build minimum path_name = 32778 :-) (Shall it is possibly to bypass it?)
III. Exploit.
Nah :-) Read second section :P
--
pi3 (piekielny / pi3ki31ny) - pi3ki31ny@...pl
http://www.pi3.int.pl
"Fuck the system - FTS"
"Kochaj mamusie i przyjaciol :D"
Powered by blists - more mailing lists