Re: ftp the real advisory something :)

[lamagra () HACKERMAIL NET (Lamagra Argamal)]

I know you can't bind to a socket and connect, close and connect again. I was thinking a bit bigger, maybe a syscall to 
reserve a port,socket for later use. I dunno, have to think about it some more. Ofcourse it'll be against all standards 
and rfc's but I think security goes above that.

I got some time to check out some more commands of proftpd 
and found some minor bugs. Mostly just annoying to look at :) But I thought I might be interesting.

void logformat(char *nickname, char *fmts) doesn't check boundaries on it's local variable 'format'. As a result custom 
logformats could overflow the buffer. Just a really small thingie :) Could cause some problems though.

int dolist(cmd_rec *cmd, const char *opt, int clearflags)
...
     char   pbuffer[MAXPATHLEN];
...
     if(*arg == '~') {
        struct passwd *pw;
        int i;
        const char *p;

        i = 0;
        p = arg;
        p++;

        while(*p && *p != '/')
          pbuffer[i++] = *p++;
        pbuffer[i] = '\0';

This function gets called by cmd_stat, with 'arg' being the argument of STAT. This looks really bad and ugly. But isn't 
really exploitable since the input buffer is only 1024 bytes. But it's still insecure programming.

BTW: the tar --use-compress-program bug of wuftpd has never been really fix. Only 1 change has been made, the tar 
program gets started after euid change. But this leave an attack still open, you can get local access using this bug 
and an anonymous account. Just a pointer :)

-lamagra
http://lamagra.seKure.de
http://roothat.labs.pulltheplug.com 

Send someone a cool Dynamitemail flashcard greeting!! And get rewarded.
GO AHEAD! http://cards.dynamitemail.com/index.php3?rid=fc-41