[<prev] [next>] [day] [month] [year] [list]
Message-ID: <47596E67.6030806@gmail.com>
Date: Sat, 08 Dec 2007 00:01:43 +0800
From: "xiaojunli.air" <xiaojunli.air@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: netkit-ftpd/ftp uninitialized vulnerability
netkit-ftpd/ftp uninitialized vulnerability
Class: Design Error
DATE:11/1/2007
CVEID:CVE-2007-5769
Vulnerable:
netkit-ftpd-0.17/netkit-ftp-0.17
Vendor:
I.Synopsis
A vulnerability has been discovered in netkit-ftpd/ftp.
II.DETAILS:
----------
Background
netkit-ftpd is the Linux Netkit FTP server with optional SSL support.
netkit-ftp is the client for the ftp protocol.
Description
There is a uninitialized vulnerability in function dataconn() in ftpd.c.
static FILE * dataconn(const char *name, off_t size, const char *mode)
{
char sizebuf[32];
FILE *file; <-uninit variable.
...
if (SSL_accept(ssl_data_con)<=0) {
1459 static char errbuf[1024];
1460
1461 snprintf(errbuf, sizeof(errbuf), "ftpd: SSL_accept DATA error
%s\n",
1462 ERR_error_string(ERR_get_error(),NULL));
1463 perror_reply(425, errbuf);
1464 /* abort time methinks ... */
1465 fclose(file); <-- close an uninit value.
1466 return NULL;
Program received signal SIGSEGV, Segmentation fault.
0x6fca33fd in fclose () from /lib/libc.so.6
(gdb) bt
#0 0x6fca33fd in fclose () from /lib/libc.so.6
#1 0x0804c601 in dataconn (name=0x77add110 "/bin/ls", size=<value
optimized out>, mode=0x8053f4f "w") at ftpd.c:1465
#2 0x0804d3f8 in retrieve (cmd=0x80550c7 "/bin/ls -lgA",
name=0x77add110 "/bin/ls") at ftpd.c:1197
#3 0x0805193a in yyparse () at ftpcmd.y:378
) at ftpd.c:685
in order to trigger this bug, the client should use the passive mode to
transfer data.
and the SSL_accept should failed at line ftpd.c:1458. the client broke
the connection
will cause the SSL_accept failed.
same problem occur in netkit-ftp's getreply() too.
467 int
468 getreply(int expecteof)
469 {
........
520 (void)
signal(SIGINT,oldintr);
521 code = 221;
522 return (0);
523 }
524 lostpeer(0);
525 fclose(cout);
Program received signal SIGSEGV, Segmentation fault.
0x6fcb73fd in fclose () from /lib/libc.so.6
(gdb) bt
#0 0x6fcb73fd in fclose () from /lib/libc.so.6
#1 0x0804fb9c in getreply (expecteof=0) at ftp.c:525
#2 0x0804fe49 in abort_remote (din=0x8099a20) at ftp.c:2117
#3 0x08052400 in recvrequest (cmd=0x80567f1 "LIST", local=0x8059400
"-", remote=0x0, lmode=0x8056b44 "w", printnames=0) at ftp.c:1288
#4 0x0804bcb5 in ls (argc=1, argv=0x80650e0) at cmds.c:1429
#5 0x08055382 in main (argc=-817625725, argv=0xc3010805) at main.c:484
Impact
Reading uninitialized variables can result in unpredictable behavior,
crashes, or security holes.
III.CREDIT:
----------
Venustech AD-LAB discovery this vuln. Thank to all Venustech AD-Lab
guys.
V.DISCLAIMS:
-----------
The information in this bulletin is provided "AS IS" without warranty of
any
kind. In no event shall we be liable for any damages whatsoever
including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
Copyright 1996-2007 VENUSTECH. All Rights Reserved. Terms of use.
VENUSTECH Security Lab
VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn)
Security
Trusted {Solution} Provider
Service
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists