[11890] in bugtraq
Re: ProFTPD
daemon@ATHENA.MIT.EDU (pb@ECLIPSE.CERTIX.FR)
Tue Sep 14 16:14:37 1999
Mime-Version: 1.0
X-To: bugtraq@securityfocus.org
Content-Type: text/plain; charset=us-ascii
Message-Id: <m11M6nP-000EE9C@eclipse.certix.fr>
Date: Wed, 1 Sep 1999 11:35:11 +0200
Reply-To: pb@ECLIPSE.CERTIX.FR
From: pb@ECLIPSE.CERTIX.FR
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.3.96.990830191923.9992A-100000@wibble.net>; from Nic
Bellamy on Mon, Aug 30, 1999 at 07:42:44PM +1200
Hi,
Note that user takes the value "user@host" given at password prompt
for anonymous access (forgetting any potential dns attacks into remhost)
This allows anyone to smash the stack just with an anonymous access
and a file to download.
(see last published exploits.)
Regards,
Pascal
On Mon, Aug 30, 1999 at 07:42:44PM +1200, Nic Bellamy wrote:
> - sprintf(buf,"%s %d %s %lu %s %c _ %c %c %s ftp 0 *\n",
> + snprintf(buf,sizeof(buf),"%s %d %s %lu %s %c _ %c %c %s ftp 0 *\n",
> fmt_time(time(NULL)),xfertime,remhost,fsize,
> fname,xfertype,direction,access,user);
>
> To exploit the bug, the attacker must have permission to create
> directories and store files.
>
> Regards,
> Nic.
>
> -- Nic Bellamy <sky@wibble.net>
> J. Random Coder.
--
Pascal Bouchareine
Administration systemes/reseaux - CERTIX
Tel: +33 1 40 34 43 57
Fax: +33 1 40 35 09 98
