Re: Pro/wuFTPD DoS

[fygrave () TIGERTEAM NET (CyberPsychotic)]

~ Maybe you should repost your email to bugtraq because Aleph1 may not
~ have seen it (I think he is damn busy with 25000+ subscribers).
~

I think I will probably write it again, since I don't I have it saved
somewhere.  There's nothing fascinating actually. This seem to be a heap
buffer overflow, which smashes pointers to the dirnames (thus you could
probably get access to files outsite chrooted envinronment):
Here's screenshot of gdb, attaching to running proftpd process before
overflow took place:
-
--/gdb screenshot/---

Program received signal SIGSEGV, Segmentation fault.

0x4007c837 in strncpy (s1=0x41414141 <Address 0x41414141 out of bounds>,
    s2=0xbfffea88 'A' <repeats 186 times>, "/", 'A' <repeats 13 times>...,
    n=1094795585) at ../sysdeps/generic/strncpy.c:82
../sysdeps/generic/strncpy.c:82: No such file or directory.
(gdb) where
#0  0x4007c837 in strncpy (s1=0x41414141 <Address 0x41414141 out of bounds>,
    s2=0xbfffea88 'A' <repeats 186 times>, "/", 'A' <repeats 13 times>...,
    n=1094795585) at ../sysdeps/generic/strncpy.c:82
#1  0x8057963 in fs_clean_path (
    path=0x41414141 <Address 0x41414141 out of bounds>,
    buf=0x41414141 <Address 0x41414141 out of bounds>, maxlen=1094795585)
    at fs.c:776
#2  0x41414141 in ?? ()
Cannot access memory at address 0x41414141.
(gdb)
--/gdb screenshot/--

 The overflow causes SIGSEGV in fs_clean_path() routine, but it happened in
fs_dircat(), which eventualy overwrote pointers to path, and buf. I didn't
have time to check whether 1.2.pre2 is vulneriable to this. (tested with
1.2.pre1 with patch appiled).


hope this helps..


regards

~Fyodor
--
http://www.kalug.lug.net/          PGP key: hkp://keys.pgp.com/cyberpsychotic
http://www.kalug.lug.net/fygrave                  email:fygrave () tigerteam net
        "There are three kinds of people: men, women, and unix."