SecurityFocus BUGTRAQ Mailing List: BugTraqLink Number One Link Number One Link Number Two Link Number Two Link Number One Link Number One Link Number Two Link Number Two Entire Site Advisories Calendar Columnists Elsewhere Guest Feature Infocus Library Links Mailing Lists (all) -- BUGTRAQ -- FOCUS-IDS -- FOCUS-IH -- FOCUS-LINUX -- FOCUS-MS -- FOCUS-SUN -- FOCUS-VIRUS -- FORENSICS -- INCIDENTS -- PEN-TEST -- SEC JOBS -- SF NEWS -- VULN-DEV News Products Services Tools Vulns BUGTRAQ ARCHIVE [ Message Index ] [ Thread Index ][ Reply ] [ prev Msg by Date ][ next Msg by Date ] To: BugTraq Subject: Wu_ftpd all versions (not) vulnerability. Date: Sep 22 2003 12:44PM Author: Adam Zabrocki Message-ID: <20030922124416.31517.qmail@sf-www1-symnsj.securityfocus.com> I. Entry. (Not) Vuln are all version deamons wu_ftp; not in default installation. When we use option where deamon send e-mail with name of uploaded files, deamon use function store() and next SockPrintf(). II. Vulnerability details. Vulnerability function is SockPrintf(). There is buffer overflow bug (remote), when function use vsprintf(): "in file src/ftpd.c" int SockPrintf(FILE *sockfp, char *format,...) { va_list ap; char buf[32768]; va_start(ap, format); vsprintf(buf, format, ap); va_end(ap); return SockWrite(buf, 1, strlen(buf), sockfp); } Buf is char array (32768). Argument *format is used by vsprintf. Now look to function store(): "in file src/ftpd.c" void store(char *name, char *mode, int unique) { ... ... #ifdef MAIL_ADMIN ... ... SockPrintf(sck, "From: wu-ftpd <%s>\r\n", mailfrom); SockPrintf(sck, "Subject: New file uploaded: %s\r\n\r\n", name); ... SockPrintf(sck, "%s uploaded %s from %s.\r\nFile size is %d.\r\n Please move the file where it belongs.\r\n",guestpw, pathname, remotehost, byte_count); ... #endif /* MAIL_ADMIN */ ... ... } In this function we have control with argument name and in theory we can do remote overflow by call: SockPrintf(sck, "Subject: New file uploaded: %s\r\n\r\n", name); ... but in the system (linux) is restriction for path_name = 4095 and in this example we should build minimum path_name = 32778 :-) (Shall it is possibly to bypass it?) III. Exploit. Nah :-) Read second section :P -- pi3 (piekielny / pi3ki31ny) - pi3ki31ny wp pl http://www.pi3.int.pl "Fuck the system - FTS" "Kochaj mamusie i przyjaciol :D" Want to link to this message? Use this URL: Disclaimer, Terms & Conditions About this List Featured Lists: ARIS Users bugtraq bugtraq-es bugtraq-french NEW bugtraq-jp firewalls focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics forensics-es honeypots incidents libnet pen-test secevents secpapers secprog sectools secureshell security-basics security-management NEW securityjobs vpn vuln-dev webappsec Newsletters: sf-news ms-secnews linux-secnews [ more . . . ] Privacy Statement Copyright © 1999-2003 SecurityFocus