Bugtraq mailing list archives
Re: ProFTPD
From: sky () WIBBLE NET (Nic Bellamy)
Date: Mon, 30 Aug 1999 19:42:44 +1200
On Sun, 29 Aug 1999, dumped wrote:
Here goes the fix.
It breaks two things that were never problems. p = mod_privdata_alloc(cmd,"stor_filename",strlen(dir)+1); This dynamically allocates strlen(dir)+1 bytes into the p->value union, making the following strcpy(p->value.str_val,dir) line harmless. + strncpy(p->value.str_val, dir, strlen(p->value.str_val)); [...] + strncpy(p->value.str_val,dir, sizeof(p->value.str_val)); Both of these introduce bugs, not fix them. strlen() on freshly allocated memory won't give you very consistant results, and sizeof(p->value.str_val) gives you sizeof(char *). To address the bug exploited by the published exploit, apply the following patch, or upgrade to proftpd 1.2.0pre4 (which includes this fix), available from ftp.tos.net:/pub/proftpd/ --- proftpd-1.2.0pre3a/src/log.c.orig Mon Aug 30 12:28:53 1999 +++ proftpd-1.2.0pre3a/src/log.c Mon Aug 30 12:29:05 1999 @@ -111,7 +111,7 @@ if(xferfd == -1) return 0; - sprintf(buf,"%s %d %s %lu %s %c _ %c %c %s ftp 0 *\n", + snprintf(buf,sizeof(buf),"%s %d %s %lu %s %c _ %c %c %s ftp 0 *\n", fmt_time(time(NULL)),xfertime,remhost,fsize, fname,xfertype,direction,access,user); To exploit the bug, the attacker must have permission to create directories and store files. Regards, Nic. -- Nic Bellamy <sky () wibble net> J. Random Coder.
Current thread:
- ProFTPD acidrain () HACKBOX COM (Aug 27)
- Re: ProFTPD Krzysztof Anton (Aug 29)
- Re: ProFTPD dumped (Aug 29)
- Re: ProFTPD Nic Bellamy (Aug 30)
- [brister () vix com: INN 2.2.1 now available] Patrick Oonk (Aug 29)
- <Possible follow-ups>
- proftpd Przemyslaw Frasunek (Aug 29)