[18483] in bugtraq
Re: wuftpd 2.6.1 -- example of bad coding
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Iv=E1n_Arce?=)
Tue Jan 9 11:15:55 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-ID: <080f01c079ca$c5af5250$2e58a8c0@ffornicario>
Date: Mon, 8 Jan 2001 20:35:19 -0300
Reply-To: =?iso-8859-1?Q?Iv=E1n_Arce?= <core.lists.bugtraq@CORE-SDI.COM>
From: =?iso-8859-1?Q?Iv=E1n_Arce?= <core.lists.bugtraq@CORE-SDI.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Hello,
I fail to understand why these vulnerabilities are NOT
exploitable, could you elaborate a bit on that?
-ivan
----- Original Message -----
From: "Przemyslaw Frasunek" <venglin@FREEBSD.LUBLIN.PL>
Newsgroups: core.lists.bugtraq
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Monday, January 08, 2001 4:12 PM
Subject: wuftpd 2.6.1 -- example of bad coding
> Hello,
>
> There are two non-exploitable format string bugs in wuftpd 2.6.1.
>
> ftpd.c:6272
>
> if (debug) {
> char *s = calloc(128 + strlen(remoteident), sizeof(char));
> if (s) {
> int i = ntohs(pasv_addr.sin_port);
> sprintf(s, "PASV port %i assigned to %s", i, remoteident);
> /* here */ syslog(LOG_DEBUG, s);
> free(s);
> }
> }
>
> ftpd.c:6288
>
> if (debug) {
> char *s = calloc(128 + strlen(remoteident), sizeof(char));
> if (s) {
> sprintf(s, "PASV port assignment assigned for %s",
remoteident);
> /* here */ syslog(LOG_DEBUG, s);
> free(s);
> }
> }
>
> Example:
>
> riget:venglin:~> tail -n1 /etc/hosts
> 212.182.115.2 riget%p%p%p%p%p%p%p%p%p%p.scene.pl riget
> riget:venglin:~> tail -n2 /var/log/debug
> Jan 8 14:28:03 riget ftpd[53990]: command: pasv^M
> Jan 8 14:28:03 riget ftpd[53990]: PASV port 17355 assigned to
riget0xbfbff1640x80536440x807c2000x8066c210x43cb0x80791000xe0x5c0x960x280850
00.scene.pl [212.182.115.2]
---
"Understanding. A cerebral secretion that enables one having it to know
a house from a horse by the roof on the house,
Its nature and laws have been exhaustively expounded by Locke,
who rode a house, and Kant, who lived in a horse." - Ambrose Bierce
==================[ CORE Seguridad de la Informacion S.A. ]=========
Iván Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A
email : iarce@core-sdi.com
http://www.core-sdi.com
Florida 141 2do cuerpo Piso 7
C1005AAG Buenos Aires, Argentina.
Tel/Fax : +(54-11) 4331-5402
=====================================================================
--- For a personal reply use iarce@core-sdi.com
