QNX RTOS FTP Client QUOTE Command Format String Overflow

2004-09-13T09:32:55
ID OSVDB:10369
Type osvdb
Reporter Julio Cesar Fort(julio@rfdslabs.com.br)
Modified 2004-09-13T09:32:55

Description

Vulnerability Description

A local overflow exists in QNX RTOS FTP client. The FTP Client QUOTE command fails to properly check the format of the incoming string resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code executing with bin group privileges resulting in a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

A local overflow exists in QNX RTOS FTP client. The FTP Client QUOTE command fails to properly check the format of the incoming string resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code executing with bin group privileges resulting in a loss of integrity.

Manual Testing Notes

After a user has logged in the following commands should cause a core dump and for the cause the client to crash.

ftp> quote site exec "%p.%p.%p.%p" 500 'SITE EXEC 805b730.0.0.805b180': command not understood. ftp> quote "%s.%s.%s.%s" Memory fault (core dumped)

References:

Vendor URL: http://www.qnx.com Vendor URL: http://www.qnx.com/products/index.html Secunia Advisory ID:12533 Other Advisory URL: http://www.rfdslabs.com.br/qnx-advs-04-2004.txt Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0410.html ISS X-Force ID: 17347 CVE-2004-1682