int tftpd_send_file(struct thread_data *data)
{
...
char filename[MAXLEN]; /* VAL_SIZE = MAXLEN = 256 */
char string[MAXLEN];
...
/* Fetch the file name */
/* If the filename starts with the directory, allow it */
if (strncmp(directory, data->tftp_options[OPT_FILENAME].value,
strlen(directory)) == 0)
strncpy(filename, data->tftp_options[OPT_FILENAME].value,VAL_SIZE);
else
{
strcpy(filename, directory);
strncat(filename, data->tftp_options[OPT_FILENAME].value,VAL_SIZE);
}
...
}
It's strange that Authors use strcpy here because in the same piece of code
from the function tftpd_receive_file() they use strncpy(), however
overflow occurs in strncat() infact you can patch your atftpd just writing
Attached is a little patch and a PoC exploit
( I decided to publish it cause atftpd is not so widespread,
the bug is know and you can patch your system easily, just do
'patch < atftpd.patch' in the source directory ).
I didn't investigate other bugs in the atftpd code, patch applies to
version 0.6 shipped with Debian Woody.
--
_
ASCII ribbon campaign ( ) www.eff.org
- against HTML email X GPG key : pgp.mit.edu
& vCards / \ <techieone (at) softhome (dot) net [email concealed]>
sorry for my poor english.
After the mail of Rick Patel about atftpd on vuln-dev ml
http://www.securityfocus.com/archive/82/323886/2003-06-02/2003-06-08/0
I investigated a little the bug and found in
tftpd_file.c (line 320)
int tftpd_send_file(struct thread_data *data)
{
...
char filename[MAXLEN]; /* VAL_SIZE = MAXLEN = 256 */
char string[MAXLEN];
...
/* Fetch the file name */
/* If the filename starts with the directory, allow it */
if (strncmp(directory, data->tftp_options[OPT_FILENAME].value,
strlen(directory)) == 0)
strncpy(filename, data->tftp_options[OPT_FILENAME].value,VAL_SIZE);
else
{
strcpy(filename, directory);
strncat(filename, data->tftp_options[OPT_FILENAME].value,VAL_SIZE);
}
...
}
It's strange that Authors use strcpy here because in the same piece of code
from the function tftpd_receive_file() they use strncpy(), however
overflow occurs in strncat() infact you can patch your atftpd just writing
strncat(filename, data->tftp_options[OPT_FILENAME].value,
VAL_SIZE - strlen( directory ));
instead of the previous strncat(s).
Attached is a little patch and a PoC exploit
( I decided to publish it cause atftpd is not so widespread,
the bug is know and you can patch your system easily, just do
'patch < atftpd.patch' in the source directory ).
I didn't investigate other bugs in the atftpd code, patch applies to
version 0.6 shipped with Debian Woody.
--
_
ASCII ribbon campaign ( ) www.eff.org
- against HTML email X GPG key : pgp.mit.edu
& vCards / \ <techieone (at) softhome (dot) net [email concealed]>
[ reply ]