Bugtraq mailing list archives
Re: proftp advisory
From: vision () WHITEHATS COM (Max Vision)
Date: Wed, 5 Jul 2000 14:23:19 -0700
Hi! I accidentally discovered Bug1 on 4/20/00 when playing with ProFTP 1.2.0pre10 on OpenBSD. However, credit for knowing what the problem was and providing a patch go to David MacKenzie. :) You can see our comments at: http://bugs.proftpd.net/show_bug.cgi?id=121 --- src/main.c 2000/01/13 01:47:02 1.3 +++ src/main.c 2000/04/29 19:22:18 @@ -377,7 +377,7 @@ vsnprintf(statbuf, sizeof(statbuf), fmt, msg); #ifdef HAVE_SETPROCTITLE - setproctitle(statbuf); + setproctitle("%s", statbuf); #endif /* HAVE_SETPROCTITLE */ va_end(msg); Max On Mon, 3 Jul 2000, lamagra wrote:
___________________________________________________ http://lamagra.seKure.de: advisory #1 Advisory: misc. bugs Programname: proftpd Versions: 1.2.0 <= pre10 Vendor: proftpd.net Severity: high (root shell) and low Contact: lamagra () digibel org Bug1: void set_proc_title(char *fmt,...) in src/main.c <snippet> memset(statbuf, 0, sizeof(statbuf)); vsnprintf(statbuf, sizeof(statbuf), fmt, msg); #ifdef HAVE_SETPROCTITLE setproctitle(statbuf); #endif /* HAVE_SETPROCTITLE */ </snippet> setproctitle, defined setproctitle(char *fmt,...);, calls vsnprintf(). This makes it vulnerable for formatattacks. By carefully outlining the attackbuffer it's possible to gain root priviledges. Fix: use setproctitle("%s",statbuf);
Current thread:
- XFree86 4.0.1 and /tmp, (continued)
- XFree86 4.0.1 and /tmp Joseph S. Myers (Jul 02)
- BitchX - more on format bugs? Forever shall I be. (Jul 03)
- BitchX exploit possibly waiting to happen, certain DoS bert hubert (Jul 03)
- Re: BitchX exploit possibly waiting to happen, certain DoS Daniel Jacobowitz (Jul 05)
- remote crash BitchX 1.0c16 Colten Edwards (Jul 03)
- Re: remote crash BitchX 1.0c16 Moniz, Troy (Jul 05)
- Oracle Web Listener for AIX DoS Peter Grundl (Jul 04)
- Remote DoS Attack in LocalWEB HTTP Server 1.2.0 Vulnerability Ussr Labs (Jul 04)
- Recovering Passwords in Visible Systems' Razor Clifford, Shawn A (Jul 05)
- proftp advisory lamagra (Jul 05)
- Re: proftp advisory Max Vision (Jul 05)
- Re: proftp advisory Daniel Jacobowitz (Jul 05)
- Secure IRC Fabio Pietrosanti (Jul 06)
- Re: WuFTPD: Providing *remote* root since at least1994 Sebastian (Jul 01)
- Re: WuFTPD: Providing *remote* root since at least1994 Lamagra Argamal (Jul 01)
- Re: WuFTPD: Providing *remote* root since at least1994 Przemyslaw Frasunek (Jul 01)
- Re: WuFTPD: Providing *remote* root since at least1994 Vitaliy Andrusevich (Jul 04)