[18979] in bugtraq
Re: QNX RTP ftpd stack overflow
daemon@ATHENA.MIT.EDU (Przemyslaw Frasunek)
Fri Feb 2 21:33:58 2001
Mail-Followup-To: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>,
bugtraq@securityfocus.com, Kris Kennaway <kris@obsecurity.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20010203001149.Z675@riget.scene.pl>
Date: Sat, 3 Feb 2001 00:11:49 +0100
Reply-To: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
From: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010202150431.A6524@xor.obsecurity.org>; from
kris@obsecurity.org on Fri, Feb 02, 2001 at 03:04:31PM -0800
On Fri, Feb 02, 2001 at 03:04:31PM -0800, Kris Kennaway wrote:
> > BTW. Old BSD derived ftpd is also used in opieftpd and SSLftpd. Both are
> > vulnerable to this attack.
> In case anyone is wondering how old is old:
The same problem persists in heimdal / kerberosIV ftpd implementation:
heimdal/appl/ftp/ftpd/popen.c and kerberosIV/appl/ftp/ftpd/popen.c:
char **pop, *argv[100], *gargv[1000];
/* break up string into pieces */
foo = NULL;
for (argc = 0, cp = program;; cp = NULL) {
if (!(argv[argc++] = strtok_r(cp, " \t\n", &foo)))
break;
}
Both are based on BSD derived ftpd version 6.00.
--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *
