Hello, sorry for my poor english. After the mail of Rick Patel about atftpd on vuln-dev ml http://www.securityfocus.com/archive/82/323886/2003-06-02/2003-06-08/0 I investigated a little the bug and found in tftpd_file.c (line 320) int tftpd_send_file(struct thread_data *data) { ... char filename[MAXLEN]; /* VAL_SIZE = MAXLEN = 256 */ char string[MAXLEN]; ... /* Fetch the file name */ /* If the filename starts with the directory, allow it */ if (strncmp(directory, data->tftp_options[OPT_FILENAME].value, strlen(directory)) == 0) strncpy(filename, data->tftp_options[OPT_FILENAME].value,VAL_SIZE); else { strcpy(filename, directory); strncat(filename, data->tftp_options[OPT_FILENAME].value,VAL_SIZE); } ... } It's strange that Authors use strcpy here because in the same piece of code from the function tftpd_receive_file() they use strncpy(), however overflow occurs in strncat() infact you can patch your atftpd just writing strncat(filename, data->tftp_options[OPT_FILENAME].value, VAL_SIZE - strlen( directory )); instead of the previous strncat(s). Attached is a little patch and a PoC exploit ( I decided to publish it cause atftpd is not so widespread, the bug is know and you can patch your system easily, just do 'patch < atftpd.patch' in the source directory ). I didn't investigate other bugs in the atftpd code, patch applies to version 0.6 shipped with Debian Woody. -- _ ASCII ribbon campaign ( ) www.eff.org - against HTML email X GPG key : pgp.mit.edu & vCards / \ <techieoneat_private>
This archive was generated by hypermail 2b30 : Fri Jun 06 2003 - 15:07:07 PDT