Malformed vsprintf in bftpd

Type securityvulns
Reporter Securityvulns
Modified 2000-12-07T00:00:00


There is a malformed vsprintf in bftpd 1.0.12 in function sendstrf:

int sendstrf(int s, char *format, ...) { .... vsprintf(buffer, format, val);

when the function is called from NLIST command:

else foo = 1; sendstrf(s, entry->d_name); }

This can be used to overflow the buffer of the vsprintf and execute arbitrary code. I don't think it can be normally used for a remote attack because bftpd removes all non-printable characters from input strings and so it is not possible to remotely put a shellcode in a filename. A dimostrative code is attached.