Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BUG in ftp client on *BSD and Solaris system?

From: "Crist J. Clark" <crist.clark () attbi com>
Date: Sat, 1 Jun 2002 14:00:35 -0700
On Fri, May 31, 2002 at 09:36:55PM +0200, Admin wrote:

Hello all,
in these days I got a strange core dump using the ftp client.
This core dump can only did by using the PUTTY ssh client...

(Tested with putty 0.52)

 >root@Wayreth[~]: ftp ftp.unina.it
 >Connected to ftp.unina.it.
 >220
 >Name (ftp.unina.it:root): ^\Quit (core dumped)
 >root@Wayreth[~]:

for do that, just push CTRL+รน when the user is requested...

Tested system:
-OpenBSD 3.1
-OpenBSD 3.0
-OpenBSD 2.9
-FreeBSD 4.4-RC5
-FreeBSD 4.5-STABLE
-FreeBSD kalieye 4.6-RC FreeBSD 4.6-RC
-SunOS XXXXX 5.6 Generic_105181-30 sun4u sparc SUNW,Ultra-Enterprise
-SunOS XXXXX 5.6 Generic_105182-30 i86pc i386 i86pc

Not vulnerable:
-Linux

This bug haven't any security issue, it's only a client and not with the 
+s flag. In these day I haven't the time to check the source code for 
see what's is wrong, I will did it in some days...


This has nothing directly to do with ftp(1). This is inside of
fgets(3) and libc. This little program can reproduce it,

#include <stdio.h>

#define BSIZE 100

int main()
{
  char buf[BSIZE];

  printf("Input: ");
  if (fgets(buf, BSIZE, stdin) != NULL)
    printf("Success: %s", buf);
  else {
    printf("Failed\n");
    return 1;
  }

  return 0;
}

Just hit ctrl-\ at the 'Input:' prompt.
-- 
Crist J. Clark                     |     cjclark () alum mit edu
                                   |     cjclark () jhu edu
http://people.freebsd.org/~cjc/    |     cjc () freebsd org
Previous By Date Next
Previous By Thread Next

Current thread: