Date: Mon, 30 Aug 1999 19:42:44 +1200
From: Nic Bellamy <[email protected]>
To: [email protected]Subject: Re: ProFTPD
On Sun, 29 Aug 1999, dumped wrote:
> Here goes the fix.
It breaks two things that were never problems.
p = mod_privdata_alloc(cmd,"stor_filename",strlen(dir)+1);
This dynamically allocates strlen(dir)+1 bytes into the p->value union,
making the following strcpy(p->value.str_val,dir) line harmless.
+ strncpy(p->value.str_val, dir, strlen(p->value.str_val));
[...]
+ strncpy(p->value.str_val,dir, sizeof(p->value.str_val));
Both of these introduce bugs, not fix them. strlen() on freshly allocated
memory won't give you very consistant results, and sizeof(p->value.str_val)
gives you sizeof(char *).
To address the bug exploited by the published exploit, apply the following
patch, or upgrade to proftpd 1.2.0pre4 (which includes this fix),
available from ftp.tos.net:/pub/proftpd/
--- proftpd-1.2.0pre3a/src/log.c.orig Mon Aug 30 12:28:53 1999
+++ proftpd-1.2.0pre3a/src/log.c Mon Aug 30 12:29:05 1999
@@ -111,7 +111,7 @@
if(xferfd == -1)
return 0;
- sprintf(buf,"%s %d %s %lu %s %c _ %c %c %s ftp 0 *\n",
+ snprintf(buf,sizeof(buf),"%s %d %s %lu %s %c _ %c %c %s ftp 0 *\n",
fmt_time(time(NULL)),xfertime,remhost,fsize,
fname,xfertype,direction,access,user);
To exploit the bug, the attacker must have permission to create
directories and store files.
Regards,
Nic.
-- Nic Bellamy <[email protected]>
J. Random Coder.
