On Sun, 29 Aug 1999, dumped wrote: > Here goes the fix. It breaks two things that were never problems. p = mod_privdata_alloc(cmd,"stor_filename",strlen(dir)+1); This dynamically allocates strlen(dir)+1 bytes into the p->value union, making the following strcpy(p->value.str_val,dir) line harmless. + strncpy(p->value.str_val, dir, strlen(p->value.str_val)); [...] + strncpy(p->value.str_val,dir, sizeof(p->value.str_val)); Both of these introduce bugs, not fix them. strlen() on freshly allocated memory won't give you very consistant results, and sizeof(p->value.str_val) gives you sizeof(char *). To address the bug exploited by the published exploit, apply the following patch, or upgrade to proftpd 1.2.0pre4 (which includes this fix), available from ftp.tos.net:/pub/proftpd/ --- proftpd-1.2.0pre3a/src/log.c.orig Mon Aug 30 12:28:53 1999 +++ proftpd-1.2.0pre3a/src/log.c Mon Aug 30 12:29:05 1999 @@ -111,7 +111,7 @@ if(xferfd == -1) return 0; - sprintf(buf,"%s %d %s %lu %s %c _ %c %c %s ftp 0 *\n", + snprintf(buf,sizeof(buf),"%s %d %s %lu %s %c _ %c %c %s ftp 0 *\n", fmt_time(time(NULL)),xfertime,remhost,fsize, fname,xfertype,direction,access,user); To exploit the bug, the attacker must have permission to create directories and store files. Regards, Nic. -- Nic Bellamy <skyat_private> J. Random Coder.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:59:59 PDT