Bugtraq mailing list archives

Re: ProFTPD

From: pb () ECLIPSE CERTIX FR (pb () ECLIPSE CERTIX FR)
Date: Wed, 1 Sep 1999 11:35:11 +0200


Hi,
Note that user takes the value "Note that user takes the value "user@host" given at password prompt
for anonymous access (forgetting any potential dns attacks into remhost)
This allows anyone to smash the stack just with an anonymous access
and a file to download.
(see last published exploits.)

Regards,
Pascal

On Mon, Aug 30, 1999 at 07:42:44PM +1200, Nic Bellamy wrote:

-  sprintf(buf,"%s %d %s %lu %s %c _ %c %c %s ftp 0 *\n",
+  snprintf(buf,sizeof(buf),"%s %d %s %lu %s %c _ %c %c %s ftp 0 *\n",
           fmt_time(time(NULL)),xfertime,remhost,fsize,
           fname,xfertype,direction,access,user);

To exploit the bug, the attacker must have permission to create
directories and store files.

Regards,
      Nic.

-- Nic Bellamy <sky () wibble net>
   J. Random Coder.


--
Pascal Bouchareine
Administration systemes/reseaux - CERTIX
Tel: +33 1 40 34 43 57
Fax: +33 1 40 35 09 98

Current thread:

Re: ProFTPD Daniel Jacobowitz (Aug 31)
- <Possible follow-ups>
- Re: ProFTPD pb () ECLIPSE CERTIX FR (Sep 01)