[15655] in bugtraq
Re: proftp advisory
daemon@ATHENA.MIT.EDU (Max Vision)
Thu Jul 6 13:40:14 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Enip.BSO.23.0007051416520.32126-100000@www.whitehats.com>
Date: Wed, 5 Jul 2000 14:23:19 -0700
Reply-To: Max Vision <vision@WHITEHATS.COM>
From: Max Vision <vision@WHITEHATS.COM>
X-To: lamagra <lamagra@digibel.org>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000703103846.9733E1EE88@lists.securityfocus.com>
Hi!
I accidentally discovered Bug1 on 4/20/00 when playing with ProFTP
1.2.0pre10 on OpenBSD. However, credit for knowing what the problem was
and providing a patch go to David MacKenzie. :)
You can see our comments at:
http://bugs.proftpd.net/show_bug.cgi?id=121
--- src/main.c 2000/01/13 01:47:02 1.3
+++ src/main.c 2000/04/29 19:22:18
@@ -377,7 +377,7 @@
vsnprintf(statbuf, sizeof(statbuf), fmt, msg);
#ifdef HAVE_SETPROCTITLE
- setproctitle(statbuf);
+ setproctitle("%s", statbuf);
#endif /* HAVE_SETPROCTITLE */
va_end(msg);
Max
On Mon, 3 Jul 2000, lamagra wrote:
> ___________________________________________________
> http://lamagra.seKure.de: advisory #1
>
> Advisory: misc. bugs
> Programname: proftpd
> Versions: 1.2.0 <= pre10
> Vendor: proftpd.net
> Severity: high (root shell) and low
> Contact: lamagra@digibel.org
>
> Bug1:
> void set_proc_title(char *fmt,...) in src/main.c
>
> <snippet>
> memset(statbuf, 0, sizeof(statbuf));
> vsnprintf(statbuf, sizeof(statbuf), fmt, msg);
>
> #ifdef HAVE_SETPROCTITLE
> setproctitle(statbuf);
> #endif /* HAVE_SETPROCTITLE */
> </snippet>
>
> setproctitle, defined setproctitle(char *fmt,...);, calls vsnprintf().
> This makes it vulnerable for formatattacks. By carefully outlining the
> attackbuffer it's possible to gain root priviledges.
>
> Fix: use setproctitle("%s",statbuf);
>
