[9683] in bugtraq
Re: Pro/wuFTPD DoS
daemon@ATHENA.MIT.EDU (CyberPsychotic)
Fri Feb 19 20:25:34 1999
Date: Fri, 19 Feb 1999 19:56:59 +0500
Reply-To: CyberPsychotic <fygrave@TIGERTEAM.NET>
From: CyberPsychotic <fygrave@TIGERTEAM.NET>
X-To: ga <duncan@multimania.org>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <36CB4661.38E6@multimania.org>
~ Maybe you should repost your email to bugtraq because Aleph1 may not
~ have seen it (I think he is damn busy with 25000+ subscribers).
~
I think I will probably write it again, since I don't I have it saved
somewhere. There's nothing fascinating actually. This seem to be a heap
buffer overflow, which smashes pointers to the dirnames (thus you could
probably get access to files outsite chrooted envinronment):
Here's screenshot of gdb, attaching to running proftpd process before
overflow took place:
-
--/gdb screenshot/---
Program received signal SIGSEGV, Segmentation fault.
0x4007c837 in strncpy (s1=0x41414141 <Address 0x41414141 out of bounds>,
s2=0xbfffea88 'A' <repeats 186 times>, "/", 'A' <repeats 13 times>...,
n=1094795585) at ../sysdeps/generic/strncpy.c:82
../sysdeps/generic/strncpy.c:82: No such file or directory.
(gdb) where
#0 0x4007c837 in strncpy (s1=0x41414141 <Address 0x41414141 out of bounds>,
s2=0xbfffea88 'A' <repeats 186 times>, "/", 'A' <repeats 13 times>...,
n=1094795585) at ../sysdeps/generic/strncpy.c:82
#1 0x8057963 in fs_clean_path (
path=0x41414141 <Address 0x41414141 out of bounds>,
buf=0x41414141 <Address 0x41414141 out of bounds>, maxlen=1094795585)
at fs.c:776
#2 0x41414141 in ?? ()
Cannot access memory at address 0x41414141.
(gdb)
--/gdb screenshot/--
The overflow causes SIGSEGV in fs_clean_path() routine, but it happened in
fs_dircat(), which eventualy overwrote pointers to path, and buf. I didn't
have time to check whether 1.2.pre2 is vulneriable to this. (tested with
1.2.pre1 with patch appiled).
hope this helps..
regards
~Fyodor
--
http://www.kalug.lug.net/ PGP key: hkp://keys.pgp.com/cyberpsychotic
http://www.kalug.lug.net/fygrave email:fygrave@tigerteam.net
"There are three kinds of people: men, women, and unix."
