[18463] in bugtraq
wuftpd 2.6.1 -- example of bad coding
daemon@ATHENA.MIT.EDU (Przemyslaw Frasunek)
Mon Jan 8 14:34:51 2001
Mail-Followup-To: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>,
bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20010108161041.F80865@riget.scene.pl>
Date: Mon, 8 Jan 2001 16:10:41 +0100
Reply-To: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
From: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
Hello,
There are two non-exploitable format string bugs in wuftpd 2.6.1.
ftpd.c:6272
if (debug) {
char *s = calloc(128 + strlen(remoteident), sizeof(char));
if (s) {
int i = ntohs(pasv_addr.sin_port);
sprintf(s, "PASV port %i assigned to %s", i, remoteident);
/* here */ syslog(LOG_DEBUG, s);
free(s);
}
}
ftpd.c:6288
if (debug) {
char *s = calloc(128 + strlen(remoteident), sizeof(char));
if (s) {
sprintf(s, "PASV port assignment assigned for %s", remoteident);
/* here */ syslog(LOG_DEBUG, s);
free(s);
}
}
Example:
riget:venglin:~> tail -n1 /etc/hosts
212.182.115.2 riget%p%p%p%p%p%p%p%p%p%p.scene.pl riget
riget:venglin:~> tail -n2 /var/log/debug
Jan 8 14:28:03 riget ftpd[53990]: command: pasv^M
Jan 8 14:28:03 riget ftpd[53990]: PASV port 17355 assigned to riget0xbfbff1640x80536440x807c2000x8066c210x43cb0x80791000xe0x5c0x960x28085000.scene.pl [212.182.115.2]
--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *
