DoS in PureFTPd - continue.

From: Adam Zabrocki (pi3ki31ny_at_wp.pl)
Date: 11/11/03

  • Next message: Michael Wojcik: "RE: Six Step IE Remote Compromise Cache Attack"
    Date: 11 Nov 2003 14:58:21 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    DoS in PureFTPd - continue.

         After carefully read the source PureFTPd and talk with autor PureFTPd i must apologize for false alarm about DoS in PureFTPd, becouse the messy code will never be executed. Looked once more for source - function displayrate():

    "in file src/ftpd.c"
    static void displayrate(const char *word, off_t size,
                            const double started,
                            const char * const name, int up)
    {
    ...
    ...
            char *resolved_path;
    ...
    ...
            resolved_path[sizeof_resolved_path - 1U] = 0;
            if (realpath(name, resolved_path) == NULL) {
    ...
    ...
            if (resolved_path[sizeof_resolved_path - 1U] != 0) {
                for (;;) {
                    *resolved_path++ = 0;
                }
            }
    ...
    ...
    }

    After do loop for() PureFTPd exec is function realpath() (in file src/bsd-realpath.c function bsd_realpath()). Looked for her carefully:

    "src/bsd_realpath.c"
    char *bsd_realpath(const char *path, char *resolved)
    {
        char wbuf[MAXPATHLEN + 1U];
    ...
    ...
        if (strlen(resolved) + strlen(wbuf) + (size_t) needslash +
                   (size_t) 1U > sizeof_resolved) {
         errno = ENAMETOOLONG;
         goto err1;
        }
    ...
    ...
            (void) strcat(resolved, wbuf); /* flawfinder: ignore - safe, see above */
    ...
    ...
    }

    Before do strcat() and write to specific memory string (to do messy code that memory must be writed) function check the len and when he was longer then sizeof_resolved (sizeof_resolved is MAXPATHLEN) then function return ENAMETOOLONG. It indemnifies before DoS.

    Regards Adam Zabrocki (pi3).


  • Next message: Michael Wojcik: "RE: Six Step IE Remote Compromise Cache Attack"

    Relevant Pages

    • DoS in PureFTPd
      ... PureFTPd all versions vulnerability. ... static void displayrate(const char *word, off_t size, ... than loop fordo DoS. ... and run with gdb. ...
      (Bugtraq)
    • [Full-Disclosure] DoS in PureFTPd
      ... PureFTPd all versions vulnerability. ... static void displayrate(const char *word, off_t size, ... than loop fordo DoS. ... and run with gdb. ...
      (Full-Disclosure)
    • [Full-Disclosure] DoS in PureFTPd - continue.
      ... DoS in PureFTPd - continue. ... becouse the messy code will never be executed. ... static void displayrate(const char *word, off_t size, ...
      (Full-Disclosure)
    • Assessing dos conventional memory using selector generated by 0x1000
      ... RUNNING IN DOS DPMI 32 BITS using Borland C++ 4.52 with PowerPack. ... union REGS regs; ... char transaction_token; ... unsigned long RealModeSegment, ProtectedModeSector, ...
      (comp.os.msdos.programmer)
    • Re: RS232 transmission sometimes fail on AM2
      ... I have no idea about anything specific to any sort of DOS. ... I don't use any dos box under Windows. ... unsigned char c; ... if (recvBufPtr - recvBuf < RECVBUF_MAX) ...
      (comp.os.msdos.djgpp)