netkit-ftpd/ftp uninitialized vulnerability

["xiaojunli.air" <xiaojunli.air () gmail com>]

netkit-ftpd/ftp uninitialized vulnerability
Class: Design Error
DATE:11/1/2007
CVEID:CVE-2007-5769
Vulnerable:
        netkit-ftpd-0.17/netkit-ftp-0.17
Vendor:

I.Synopsis

A vulnerability has been discovered in netkit-ftpd/ftp.

II.DETAILS:
----------
Background

netkit-ftpd is the Linux Netkit FTP server with optional SSL support.
netkit-ftp is the client for the ftp protocol.

Description

        There is a uninitialized  vulnerability in function dataconn() in ftpd.c.
        static FILE * dataconn(const char *name, off_t size, const char *mode)
        {
                char sizebuf[32];
                FILE *file;  <-uninit variable.

                ...
                         if (SSL_accept(ssl_data_con)<=0) {
1459                            static char errbuf[1024];
1460    
1461                            snprintf(errbuf, sizeof(errbuf), "ftpd: SSL_accept DATA error
%s\n",
1462                                        ERR_error_string(ERR_get_error(),NULL));
1463                            perror_reply(425, errbuf);
1464                            /* abort time methinks ... */
1465                            fclose(file); <-- close an uninit value.
1466                            return NULL;


Program received signal SIGSEGV, Segmentation fault.
0x6fca33fd in fclose () from /lib/libc.so.6
(gdb) bt
#0  0x6fca33fd in fclose () from /lib/libc.so.6
#1  0x0804c601 in dataconn (name=0x77add110 "/bin/ls", size=<value
optimized out>, mode=0x8053f4f "w") at ftpd.c:1465
#2  0x0804d3f8 in retrieve (cmd=0x80550c7 "/bin/ls -lgA",
name=0x77add110 "/bin/ls") at ftpd.c:1197
#3  0x0805193a in yyparse () at ftpcmd.y:378
) at ftpd.c:685

in order to trigger this bug, the client should use the passive mode to
transfer data.
and  the SSL_accept should  failed at line ftpd.c:1458. the client broke
the connection
will cause the SSL_accept failed.

same problem occur in netkit-ftp's getreply() too.
467     int
468     getreply(int expecteof)
469     {
........
520                                             (void)
signal(SIGINT,oldintr);
521                                             code = 221;
522                                             return (0);
523                                     }
524                                     lostpeer(0);
525                                     fclose(cout);

Program received signal SIGSEGV, Segmentation fault.
0x6fcb73fd in fclose () from /lib/libc.so.6
(gdb) bt
#0  0x6fcb73fd in fclose () from /lib/libc.so.6
#1  0x0804fb9c in getreply (expecteof=0) at ftp.c:525
#2  0x0804fe49 in abort_remote (din=0x8099a20) at ftp.c:2117
#3  0x08052400 in recvrequest (cmd=0x80567f1 "LIST", local=0x8059400
"-", remote=0x0, lmode=0x8056b44 "w", printnames=0) at ftp.c:1288
#4  0x0804bcb5 in ls (argc=1, argv=0x80650e0) at cmds.c:1429
#5  0x08055382 in main (argc=-817625725, argv=0xc3010805) at main.c:484

Impact
Reading uninitialized variables can result in unpredictable behavior,
crashes, or security holes.

III.CREDIT:
----------
    Venustech AD-LAB discovery this vuln. Thank to all Venustech AD-Lab
guys.

V.DISCLAIMS:
-----------

The information in this bulletin is provided "AS IS" without warranty of
any
kind. In no event shall we be liable for any damages whatsoever
including direct,
indirect, incidental, consequential, loss of business profits or special
damages.

Copyright 1996-2007 VENUSTECH. All Rights Reserved. Terms of use.

VENUSTECH Security Lab
VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn)

Security
Trusted {Solution} Provider
Service

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/