Multiple Vendor ftpd setproctitle() Format String Vulnerability

A number of ftp daemons, including versions of wu-ftpd, OpenBSD ftpd (ports of this package are distributed with some Linux distributions), HP-UX ftpd, and proftpd, have a vulnerability caused by the passing of user input to the set_proc_title() function. This function in turn calls setproctitle() after using this user data to generate a buffer to pass to setproctitle. setproctitle is defined as setproctitle(char *fmt, ...). The buffer created is passed as the format argument to setproctitle. setproctitle will make a call to the vsnprintf() call, taking the buffer passed as the format string. By carefully manipulating the contents of this buffer, a remote user can cause values on the stack to be overwritten, and potentially cause arbitrary code to be executed as root.


Privacy Statement
Copyright 2010, SecurityFocus