5649528 2000-10-27 21:44 /135 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <13476>
Ärende: Potential Security Problem in bftpd-1.0.11
------------------------------------------------------------
From: BAILLEUX Christophe <cb@GROLIER.FR>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.21.0010271812330.9992-100000@tshaw.grolier.fr>
Subject : Potential security problem in bftpd (Buffer Overflow)
Author : Christophe BAILLEUX (cb@grolier.fr)
Plateforms : *nix
Test version : bftpd-1.0.11
I. Introduction
bftpd is a Linux FTP server with chroot and setreuid. Not all FTP
commands are included. It accesses either the user's home directory
or its. ftp subdirectory, and user authentication is via
passwd/shadow or PAM.
II. Problem
The lastest version of bftp has a potential security problem when
entering the USER command. The problem is a potential Overflow
Vulnerability when entering more 35 characteres in USER command.
III. Details/Demo
a) Code problem
bftpd-1.0.11/commands.c
102 void command_user(char *username) {
103 char *alias;
104 char name[USERLEN + 7] = "ALIAS_";
105 if(state) {
106 fprintf(stderr, "503 Username already given.\r\n");
107 return;
108 }
109 alias = (char *) config_getoption(strcat(name, username));
110 if(alias[0] != '\0')
b) Demo / gdb output
tshaw:~$ printf "user `perl -e 'print"A"x37'`\n" | nc localhost 21
tshaw:/home/cb/bftpd-1.0.11# gdb /usr/sbin/bftpd 6613 GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc. GDB is free software,
covered by the GNU General Public License, and you are welcome to
change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions. There is absolutely no
warranty for GDB. Type "show warranty" for details. This GDB was
configured as "i386-slackware-linux"... (no debugging symbols
found)... Attaching to program: /usr/sbin/bftpd, Pid 6624 Reading
symbols from /lib/libcrypt.so.1...done. Loaded symbols for
/lib/libcrypt.so.1 Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6 Reading symbols from
/lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2
0x400e7514 in read () from /lib/libc.so.6 (gdb) c Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb)
(gdb) x $esp
0xbffffcb8: 0x41414141
(gdb)
IV. Exploit
It's not possible to exploit it with a standart exploit...
commands.c contains a piece of code filtering non-writable chars, eg
: NOP, shellcode...
469 for(i = 0; i < strlen(str); i++) { /* Remove Internet Explorer
garbage
*/
470 if(str[i] < 32) {
471 memmove((char *) ((int) str + i),
472 (char *) ((int) str + i + 1),
473 strlen(str) - i);
474 i--; /* If junk is found, don't increment counter in next
loop. */
475 }
476 }
V. Workaround
In bftpd-1.0.11/commands.c
Modify the line 109
alias = (char *) config_getoption(strcat(name, username));
by
alias = (char *) config_getoption(strncat(name, username, USERLEN));
bftpd team has been informed.
VI. Greetings :)
Greetings to kalou, kli deda, Geudou deda and all DEDA TEAM!@# :)
Thanks bdev for your help :)
Best regards,
--
BAILLEUX Christophe - Network & System Security Engineer
Grolier Interactive Europe-OG/CS
Voice:+33-(0)1-5545-4789 - mailto:cb@grolier.fr
(5649528) ------------------------------------------(Ombruten)