diff options
Diffstat (limited to 'informationals/teso-i0031.txt')
| -rw-r--r-- | informationals/teso-i0031.txt | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/informationals/teso-i0031.txt b/informationals/teso-i0031.txt new file mode 100644 index 0000000..84418ba --- /dev/null +++ b/informationals/teso-i0031.txt | |||
| @@ -0,0 +1,68 @@ | |||
| 1 | 0031 2000/12/20 exploitable one-byte overflow in openftpd 1.0 beta28 | ||
| 2 | |||
| 3 | ==== TESO Informational ======================================================= | ||
| 4 | This piece of information is to be kept confidential. | ||
| 5 | =============================================================================== | ||
| 6 | |||
| 7 | Description ..........: exploitable one-byte overflow in openftpd 1.0 beta28 | ||
| 8 | Date .................: 2000/12/20 23:00 | ||
| 9 | Author ...............: scut | ||
| 10 | Publicity level ......: unknown before, told to openftpd authors | ||
| 11 | Affected .............: openftpd 1.0 beta28 and below | ||
| 12 | Type of entity .......: exploitable buffer overflow | ||
| 13 | Type of discovery ....: vulnerabilitiy | ||
| 14 | Severity/Importance ..: high | ||
| 15 | Found by .............: scut | ||
| 16 | |||
| 17 | =============================================================================== | ||
| 18 | |||
| 19 | The OpenFTPd project develops a FTP daemon optimized for warez and mp3 sites, | ||
| 20 | with extensive script and maintenance support, far over the FTP RFC standards. | ||
| 21 | It introduces a command 'SITE INFO' to let each user set his own 'infoline', | ||
| 22 | a describing line, which may not be longer then 50 chars. Often it is used to | ||
| 23 | set affiliations to certain warez groups or short mottos or slogans. | ||
| 24 | |||
| 25 | However, this 'SITE INFO' is flawed: | ||
| 26 | |||
| 27 | int cmd_site_info(char** p, int n) | ||
| 28 | { | ||
| 29 | char str[128]; | ||
| 30 | char infoline[50]; | ||
| 31 | int i; | ||
| 32 | |||
| 33 | if (!n) printf("UIN %s\n", usr.name); | ||
| 34 | else { | ||
| 35 | snprintf(str, sizeof(str), "%s ", p[0]); | ||
| 36 | for(i = 1; i < n; i++) { | ||
| 37 | strncat(str, p[i], sizeof(str) - strlen(str)); | ||
| 38 | strncat(str, " ", sizeof(str) - strlen(str)); | ||
| 39 | } | ||
| 40 | str[strlen(str) - 1] = '\0'; | ||
| 41 | printf("UIN %s %s\n", usr.name, str); | ||
| 42 | } | ||
| 43 | if (!fgets(str, sizeof(str), stdin)) | ||
| 44 | strncpy(str, "-!Bpipe error!0", sizeof(str) - 1); | ||
| 45 | return send_reply(*str == '+' ? 200 : 550, str+1); | ||
| 46 | } | ||
| 47 | |||
| 48 | The two strncat's store a NUL byte right behind the str buffer, if the content | ||
| 49 | of str is already long enough. On x86 platforms the least significant byte of | ||
| 50 | the framepointer is overwritten and the stack frame of the calling function | ||
| 51 | slides down. This is very much similar to the exploitable one-byte overflow | ||
| 52 | in the OpenBSD ftpd recently discovered. Here a reasonable target to store the | ||
| 53 | real retaddr in is the buffer str[256] in the calling function, which may be | ||
| 54 | easily written into by issuing something like: | ||
| 55 | |||
| 56 | AAAAAAAAAAAAAAAAAAAA<up to 256 bytes>\n | ||
| 57 | SITE INFO a aaaaaaaa<more then 128 bytes>\n | ||
| 58 | |||
| 59 | A substantial portion of the str[256] buffer contains 'A' characters and you | ||
| 60 | may have luck that your stored retaddr is at the right place. The ftpd is | ||
| 61 | respawning, since only a child process segfaults on wrong attempts, so you | ||
| 62 | have enough space and time to try all possible combinations (~ 1000 * 4 * 64 | ||
| 63 | = 256,000). | ||
| 64 | |||
| 65 | The authors have been notified, let's see whether it gets fixed. | ||
| 66 | |||
| 67 | =============================================================================== | ||
| 68 | |||