lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <47596E67.6030806@gmail.com>
Date: Sat, 08 Dec 2007 00:01:43 +0800
From: "xiaojunli.air" <xiaojunli.air@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: netkit-ftpd/ftp uninitialized vulnerability

netkit-ftpd/ftp uninitialized vulnerability
Class: Design Error
DATE:11/1/2007
CVEID:CVE-2007-5769
Vulnerable:
	netkit-ftpd-0.17/netkit-ftp-0.17
Vendor:

I.Synopsis

A vulnerability has been discovered in netkit-ftpd/ftp.

II.DETAILS:
----------
Background

netkit-ftpd is the Linux Netkit FTP server with optional SSL support.
netkit-ftp is the client for the ftp protocol.

Description

	There is a uninitialized  vulnerability in function dataconn() in ftpd.c.
 	static FILE * dataconn(const char *name, off_t size, const char *mode)
 	{
 		char sizebuf[32];
 		FILE *file;  <-uninit variable.

		...
			 if (SSL_accept(ssl_data_con)<=0) {
1459 				static char errbuf[1024];
1460 	
1461 				snprintf(errbuf, sizeof(errbuf), "ftpd: SSL_accept DATA error
%s\n",
1462 					    ERR_error_string(ERR_get_error(),NULL));
1463 				perror_reply(425, errbuf);
1464 				/* abort time methinks ... */
1465 				fclose(file); <-- close an uninit value.
1466 				return NULL;


Program received signal SIGSEGV, Segmentation fault.
0x6fca33fd in fclose () from /lib/libc.so.6
(gdb) bt
#0  0x6fca33fd in fclose () from /lib/libc.so.6
#1  0x0804c601 in dataconn (name=0x77add110 "/bin/ls", size=<value
optimized out>, mode=0x8053f4f "w") at ftpd.c:1465
#2  0x0804d3f8 in retrieve (cmd=0x80550c7 "/bin/ls -lgA",
name=0x77add110 "/bin/ls") at ftpd.c:1197
#3  0x0805193a in yyparse () at ftpcmd.y:378
) at ftpd.c:685

in order to trigger this bug, the client should use the passive mode to
transfer data.
and  the SSL_accept should  failed at line ftpd.c:1458. the client broke
the connection
will cause the SSL_accept failed.

same problem occur in netkit-ftp's getreply() too.
467     int
468     getreply(int expecteof)
469     {
........
520                                             (void)
signal(SIGINT,oldintr);
521                                             code = 221;
522                                             return (0);
523                                     }
524                                     lostpeer(0);
525                                     fclose(cout);

Program received signal SIGSEGV, Segmentation fault.
0x6fcb73fd in fclose () from /lib/libc.so.6
(gdb) bt
#0  0x6fcb73fd in fclose () from /lib/libc.so.6
#1  0x0804fb9c in getreply (expecteof=0) at ftp.c:525
#2  0x0804fe49 in abort_remote (din=0x8099a20) at ftp.c:2117
#3  0x08052400 in recvrequest (cmd=0x80567f1 "LIST", local=0x8059400
"-", remote=0x0, lmode=0x8056b44 "w", printnames=0) at ftp.c:1288
#4  0x0804bcb5 in ls (argc=1, argv=0x80650e0) at cmds.c:1429
#5  0x08055382 in main (argc=-817625725, argv=0xc3010805) at main.c:484

Impact
Reading uninitialized variables can result in unpredictable behavior,
crashes, or security holes.

III.CREDIT:
----------
    Venustech AD-LAB discovery this vuln. Thank to all Venustech AD-Lab
guys.

V.DISCLAIMS:
-----------

The information in this bulletin is provided "AS IS" without warranty of
any
kind. In no event shall we be liable for any damages whatsoever
including direct,
indirect, incidental, consequential, loss of business profits or special
damages.

Copyright 1996-2007 VENUSTECH. All Rights Reserved. Terms of use.

VENUSTECH Security Lab
VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn)

Security
Trusted {Solution} Provider
Service

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ