Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: proftp advisory

From: vision () WHITEHATS COM (Max Vision)
Date: Wed, 5 Jul 2000 14:23:19 -0700

Hi!

I accidentally discovered Bug1 on 4/20/00 when playing with ProFTP
1.2.0pre10 on OpenBSD.  However, credit for knowing what the problem was
and providing a patch go to David MacKenzie.  :)
You can see our comments at:

http://bugs.proftpd.net/show_bug.cgi?id=121

--- src/main.c  2000/01/13 01:47:02     1.3
+++ src/main.c  2000/04/29 19:22:18
@@ -377,7 +377,7 @@
   vsnprintf(statbuf, sizeof(statbuf), fmt, msg);

 #ifdef HAVE_SETPROCTITLE
-  setproctitle(statbuf);
+  setproctitle("%s", statbuf);
 #endif /* HAVE_SETPROCTITLE */

   va_end(msg);

Max

On Mon, 3 Jul 2000, lamagra wrote:

                          ___________________________________________________
                              http://lamagra.seKure.de: advisory #1

              Advisory: misc. bugs
              Programname: proftpd
              Versions: 1.2.0 <= pre10
              Vendor: proftpd.net
              Severity: high (root shell) and low
              Contact: lamagra () digibel org

Bug1:
  void set_proc_title(char *fmt,...) in src/main.c

  <snippet>
  memset(statbuf, 0, sizeof(statbuf));
  vsnprintf(statbuf, sizeof(statbuf), fmt, msg);

  #ifdef HAVE_SETPROCTITLE
      setproctitle(statbuf);
  #endif /* HAVE_SETPROCTITLE */
  </snippet>

  setproctitle, defined setproctitle(char *fmt,...);, calls vsnprintf().
  This makes it vulnerable for formatattacks. By carefully outlining the
  attackbuffer it's possible to gain root priviledges.

  Fix: use setproctitle("%s",statbuf);
Previous By Date Next
Previous By Thread Next

Current thread: