ProFTPD, Helix Server bugs

[Evgeny Legerov <admin () gleg net>]

Hi,

If you think that I never report my bugs to vendors - I do that, sometimes.

Here are a few examples (probably it is worth to release a couple of
advisories):

https://lists.helixcommunity.org/pipermail/server-cvs/2006-June/003176.html

https://helixcommunity.org/plugins/scmcvs/cvsweb.kliu.php/server/protocol/rtsp/rtspserv.cpp?cvsroot=%2F
(search for "GLEG")

This one was published somewhere, I reported it to proftpd team as weell.
proftpd/contrib/mod_tls.c:
"""
...
 if ((ok = X509_NAME_print_ex(mem, x509_name, 0, XN_FLAG_ONELINE)))
datalen = BIO_get_mem_data(mem, &data); ### we can control datalen

if (data) {
memset(&buf, '\0', sizeof(buf));
memcpy(buf, data, datalen); ### plain buffer overflow here
...
}
"""

Note: I failed to exploit this particular ProFTPD bug.

--
Thanks,
-Evgeny

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave