lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <3fafb02aaf413@wp.pl>
From: pi3ki31ny at wp.pl (Adam Zabrocki)
Subject: DoS in PureFTPd

PureFTPd all versions vulnerability.

I.  Entry.

    Vuln are all version deamons PureFTP. There is DoS bug.

II. Vulnerability details.

    Vulnerability function is displayrate(). There is simple
overflow bug (DoS):

"in file src/ftpd.c"
static void displayrate(const char *word, off_t size,
                        const double started,
                        const char * const name, int up)
{
...
...
        char *resolved_path;
...
...
        if (realpath(name, resolved_path) == NULL) {
...
...
        if (resolved_path[sizeof_resolved_path - 1U] != 0) {
            for (;;) {
                *resolved_path++ = 0;
            }
        }
...
...
}

Function realpath() is write by autor PureFTP. We can find her
in file src/bsd-realpath.c. This function write string to 
resolved_path
and next call to if check the memory, and when are written in
specific place, than loop for() do DoS.

Now look at simple program to test it. Here is it:

"test.c"
#include <stdio.h>
#include <stdlib.h>

#define MAX 65536U
int main(int argc, char *argv[])
{
   char *resolved;
   const size_t sizeof_resolved_path = MAX + 1U;
int error_func()
     {

   if(resolved[sizeof_resolved_path - 1U] != 0)
     {

        for( ; ; )
          {
             *resolved++ = 0;
          }
     }
     }
   printf("Just a small test for DoS in pureftpd\n");

          error_func();

          printf("if you see this msg the error dosent exist\n");

}

Ok we have here the situaction like in PureFTP. Now compile that 
test program
and run with gdb. Here:

GNU gdb 5.2
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, 
and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" 
for
details.
This GDB was configured as "i386-slackware-linux"...
(gdb) r
Starting program: /home/tyytus/code/DoS/test
Just a small test for DoS in pureftpd

Program received signal SIGSEGV, Segmentation fault.
0x08048364 in error_func.0 ()
(gdb)

We have DoS and program write '0' in bad memory ;]

III. Exploit.

    Nah :-) We don't coded yet :(

--
pi3 (pi3ki31ny) - pi3ki31ny@...pl (Thx to tajtus for test and 
Azido)
http://www.pi3.int.pl

"Pytanie nie brzmi jak? Tylko poco?"



----------------------------------------------------------
Najlepszy serial komediowy ostatnich lat!!! "Przyjaciele"
ju? na DVD i wideo - to mo?na ogl?da? w niesko?czono??!!!
http://film.wp.pl/p/film.html?id=13333




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ