Date: 9 Nov 2003 00:01:08 -0000
From: Adam Zabrocki <[email protected]>
To: [email protected]Subject: DoS in PureFTPd
PureFTPd all versions vulnerability.
I. Entry.
Vuln are all version deamons PureFTP. There is DoS bug.
II. Vulnerability details.
Vulnerability function is displayrate(). There is simple
overflow bug (DoS):
"in file src/ftpd.c"
static void displayrate(const char *word, off_t size,
const double started,
const char * const name, int up)
{
...
...
char *resolved_path;
...
...
if (realpath(name, resolved_path) == NULL) {
...
...
if (resolved_path[sizeof_resolved_path - 1U] != 0) {
for (;;) {
*resolved_path++ = 0;
}
}
...
...
}
Function realpath() is write by autor PureFTP. We can find her
in file src/bsd-realpath.c. This function write string to resolved_path
and next call to if check the memory, and when are written in
specific place, than loop for() do DoS.
Now look at simple program to test it. Here is it:
"test.c"
#include <stdio.h>
#include <stdlib.h>
#define MAX 65536U
int main(int argc, char *argv[])
{
char *resolved;
const size_t sizeof_resolved_path = MAX + 1U;
int error_func()
{
if(resolved[sizeof_resolved_path - 1U] != 0)
{
for( ; ; )
{
*resolved++ = 0;
}
}
}
printf("Just a small test for DoS in pureftpd\n");
error_func();
printf("if you see this msg the error dosent exist\n");
}
Ok we have here the situaction like in PureFTP. Now compile that test program
and run with gdb. Here:
GNU gdb 5.2
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i386-slackware-linux"...
(gdb) r
Starting program: /home/tyytus/code/DoS/test
Just a small test for DoS in pureftpd
Program received signal SIGSEGV, Segmentation fault.
0x08048364 in error_func.0 ()
(gdb)
We have DoS and program write '0' in bad memory ;]
III. Exploit.
Nah :-) We don't coded yet :(
--
pi3 (pi3ki31ny) - [email protected] (Thx to tajtus for test and Azido)
http://www.pi3.int.pl
"Pytanie nie brzmi jak? Tylko poco?"
