Bugtraq mailing list archives
Re: ftp the real advisory something :)
From: lamagra () HACKERMAIL NET (Lamagra Argamal)
Date: Thu, 29 Jun 2000 11:27:41 -0000
I know you can't bind to a socket and connect, close and connect again. I was thinking a bit bigger, maybe a syscall to reserve a port,socket for later use. I dunno, have to think about it some more. Ofcourse it'll be against all standards and rfc's but I think security goes above that. I got some time to check out some more commands of proftpd and found some minor bugs. Mostly just annoying to look at :) But I thought I might be interesting. void logformat(char *nickname, char *fmts) doesn't check boundaries on it's local variable 'format'. As a result custom logformats could overflow the buffer. Just a really small thingie :) Could cause some problems though. int dolist(cmd_rec *cmd, const char *opt, int clearflags) ... char pbuffer[MAXPATHLEN]; ... if(*arg == '~') { struct passwd *pw; int i; const char *p; i = 0; p = arg; p++; while(*p && *p != '/') pbuffer[i++] = *p++; pbuffer[i] = '\0'; This function gets called by cmd_stat, with 'arg' being the argument of STAT. This looks really bad and ugly. But isn't really exploitable since the input buffer is only 1024 bytes. But it's still insecure programming. BTW: the tar --use-compress-program bug of wuftpd has never been really fix. Only 1 change has been made, the tar program gets started after euid change. But this leave an attack still open, you can get local access using this bug and an anonymous account. Just a pointer :) -lamagra http://lamagra.seKure.de http://roothat.labs.pulltheplug.com Send someone a cool Dynamitemail flashcard greeting!! And get rewarded. GO AHEAD! http://cards.dynamitemail.com/index.php3?rid=fc-41
Current thread:
- Re: ftp the real advisory something :) Lamagra Argamal (Jun 29)