BugTraq
Wu_ftpd all versions (not) vulnerability. Sep 22 2003 12:44PM
Adam Zabrocki (pi3ki31ny wp pl)


I. Entry.

(Not) Vuln are all version deamons wu_ftp; not in default installation.

When we use option where deamon send e-mail with name of uploaded files,

deamon use function store() and next SockPrintf().

II. Vulnerability details.

Vulnerability function is SockPrintf(). There is buffer

overflow bug (remote), when function use vsprintf():

"in file src/ftpd.c"

int SockPrintf(FILE *sockfp, char *format,...)

{

va_list ap;

char buf[32768];

va_start(ap, format);

vsprintf(buf, format, ap);

va_end(ap);

return SockWrite(buf, 1, strlen(buf), sockfp);

}

Buf is char array (32768). Argument *format is used by vsprintf.

Now look to function store():

"in file src/ftpd.c"

void store(char *name, char *mode, int unique)

{

...

...

#ifdef MAIL_ADMIN

...

...

SockPrintf(sck, "From: wu-ftpd <%s>\r\n", mailfrom);

SockPrintf(sck, "Subject: New file uploaded: %s\r\n\r\n", name);

...

SockPrintf(sck, "%s uploaded %s from %s.\r\nFile size is %d.\r\n

Please move the file where it belongs.\r\n",guestpw, pathname, remotehost, byte_count);

...

#endif /* MAIL_ADMIN */

...

...

}

In this function we have control with argument name and in theory we can do remote overflow by call:

SockPrintf(sck, "Subject: New file uploaded: %s\r\n\r\n", name);

... but in the system (linux) is restriction for path_name = 4095 and in this example we should build minimum path_name = 32778 :-) (Shall it is possibly to bypass it?)

III. Exploit.

Nah :-) Read second section :P

--

pi3 (piekielny / pi3ki31ny) - pi3ki31ny (at) wp (dot) pl [email concealed]

http://www.pi3.int.pl

"Fuck the system - FTS"

"Kochaj mamusie i przyjaciol :D"

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus