Wu_ftpd all versions (not) vulnerability.

From: Adam Zabrocki (pi3ki31ny_at_wp.pl)
Date: 09/22/03

  • Next message: Q?=Ilya TeterinQ=20?=: "base64" 
    Date: 22 Sep 2003 12:44:16 -0000
To: bugtraq@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

    I. Entry.

        (Not) Vuln are all version deamons wu_ftp; not in default installation.
    When we use option where deamon send e-mail with name of uploaded files,
    deamon use function store() and next SockPrintf().

    II. Vulnerability details.

        Vulnerability function is SockPrintf(). There is buffer
    overflow bug (remote), when function use vsprintf():

    "in file src/ftpd.c"
    int SockPrintf(FILE *sockfp, char *format,...)
    {
        va_list ap;
        char buf[32768];

        va_start(ap, format);
        vsprintf(buf, format, ap);
        va_end(ap);
        return SockWrite(buf, 1, strlen(buf), sockfp);
    }

    Buf is char array (32768). Argument *format is used by vsprintf.
    Now look to function store():

    "in file src/ftpd.c"
    void store(char *name, char *mode, int unique)
    {
    ...
    ...
    #ifdef MAIL_ADMIN
    ...
    ...
            SockPrintf(sck, "From: wu-ftpd <%s>\r\n", mailfrom);
            SockPrintf(sck, "Subject: New file uploaded: %s\r\n\r\n", name);
    ...
            SockPrintf(sck, "%s uploaded %s from %s.\r\nFile size is %d.\r\n
    Please move the file where it belongs.\r\n",guestpw, pathname, remotehost, byte_count);
    ...
    #endif /* MAIL_ADMIN */
    ...
    ...
    }

    In this function we have control with argument name and in theory we can do remote overflow by call:

            SockPrintf(sck, "Subject: New file uploaded: %s\r\n\r\n", name);

    ... but in the system (linux) is restriction for path_name = 4095 and in this example we should build minimum path_name = 32778 :-) (Shall it is possibly to bypass it?)

    III. Exploit.

        Nah :-) Read second section :P 

    --
pi3 (piekielny / pi3ki31ny) - pi3ki31ny@wp.pl
http://www.pi3.int.pl
"*** the system - FTS"
"Kochaj mamusie i przyjaciol :D"
  • Next message: Q?=Ilya TeterinQ=20?=: "base64"
    • Quantcast