[NEWS] hpaftpd Multiple Buffer Overflows

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



hpaftpd Multiple Buffer Overflows
------------------------------------------------------------------------


SUMMARY

<http://hpaftpd.sourceforge.net/> hpaftpd is "a high performance
anonymous FTP server (RFC 0959). It is designed to run without forks or
threads and with low memory usage, so it's suitable for heavy network
traffic with very many connections". beSTORM found multiple buffer
overflows in hpaftpd, these vulnerabilities are caused by improper usage
of the insecure sprintf function.

DETAILS

Vulnerable Systems:
* hpaftpd version 1.01

The hpaftpd reads receives user provided data using the following code:
n = nb_get(nbc, buf, BUF_SIZE - 1);

While BUF_SIZE is defined as:
#define BUF_SIZE 8192

The same BUF_SIZE is used whenever hpaftpd wants to write something to the
log/user, here is one example which is returned once the user has provided
a username:
sprintf(obuf, "331 Password required for %s\r\n", ftpc->user);

As you can see, even though ftpc->user is limited to 8192, the obuf is
also limited to 8192:
char buf[BUF_SIZE], obuf[BUF_SIZE]; /* Input buffer, output buffer */

Allowing us to supply numerous commands and arguments which in turn will
overflow the obuf buffer.

The following commands can be used to overflow the obuf buffer:
* USER
* PASS (with a combination of a USER command)
* CWD
* MKD
* RMD
* DELE
* RNFR
* RNTO (with a vald RNFR combination)

Site note:
There appears to be a past attempt to prevent buffer overflows found in
the path related functions, as they use snprintf instead of sprintf.


ADDITIONAL INFORMATION

This vulnerability has been found by
<http://www.beyondsecurity.com/beSTORM> beSTORM. Visit our web site to
download a free 30 day evaluation of beSTORM.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages