advisory on rftpd

2004-08-17T00:00:00
ID SECURITYVULNS:DOC:6614
Type securityvulns
Reporter Securityvulns
Modified 2004-08-17T00:00:00

Description

                   .:: Security Advisory ::.
           by unl0ck team [http://web-hack.ru/unl0ck]
                           _  _     ___  _  __  _  _
         |  |  _  |  _   _  |/       |  |_ |__| |\/|
         |__| | | | |_| |_ _|\_      |  |_ |  | |  |

Advisory: #3 by unl0ck team Bug: buffer overflow Product: rftpd current version http://rave.swehack.se Author: Werro [werro@list.ru] Realease Date : 14/08/04 Risk: Low Vendor status: Vendor is in a big shit :) Reference: http://web-hack.ru/unl0ck/advisories/

Overview: Do you know that many ftp daemons are released with NULL support? rFTPD is not like that at all, your experience will build the software! While you read this page, our team is writing the online manual for the server, to take away any doubts that may prevent you to use our program. rFTPD offers:

Download at high speed Fantastic logging Unique signal handling Restore your download after the client disconnection Very easy configuration Multiple languages are available such as English, dutch, norwegian, swedish, italian. EPRT/EPASV full working

Details: Bug was found in log.c file in va_printf() function. It is very lower bug :). But it is bug :).

=================================================== char va_ret[512]; char va_printf(char message) {

...

fs_zero (va_ret , sizeof(va_ret)); if ( message != NULL ) { sprintf(va_ret ,"%d-%d-%d %02d:%02d:%02d: %s ", 1900 + tm_s->tm_year, tm_s->tm_mon, tm_s->tm_mday, tm_s->tm_hour, tm_s->tm_min, tm_s->tm_sec, message); return (char *)va_ret;

...

To avoid this bug use snprintf().

14/08/04. (c) by unl0ck team. http://web-hack.ru/unl0ck