5255115 2000-07-05 22:11 /103 rader/ Postmaster
Mottagare: Bugtraq (import) <11576>
Ärende: proftp advisory
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-ID: <20000703103846.9733E1EE88@lists.securityfocus.com>
Date: Mon, 3 Jul 2000 12:40:54 CEST
Reply-To: lamagra@digibel.org
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: lamagra <lamagra@digibel.org>
X-To: macgyver@tos.net
To: BUGTRAQ@SECURITYFOCUS.COM
___________________________________________________
http://lamagra.seKure.de: advisory #1
Advisory: misc. bugs
Programname: proftpd
Versions: 1.2.0 <= pre10
Vendor: proftpd.net
Severity: high (root shell) and low
Contact: lamagra@digibel.org
Bug1:
void set_proc_title(char *fmt,...) in src/main.c
<snippet>
memset(statbuf, 0, sizeof(statbuf));
vsnprintf(statbuf, sizeof(statbuf), fmt, msg);
#ifdef HAVE_SETPROCTITLE
setproctitle(statbuf);
#endif /* HAVE_SETPROCTITLE */
</snippet>
setproctitle, defined setproctitle(char *fmt,...);, calls
vsnprintf(). This makes it vulnerable for formatattacks. By
carefully outlining the attackbuffer it's possible to gain root
priviledges.
Fix: use setproctitle("%s",statbuf);
Bug2:
MODRET pam_auth(cmd_rec *cmd) in modules/mod_pam.c
<snippet>
/* Allocate our entries...we don't free this because PAM does this for
us.
*/
pam_user = malloc(strlen(cmd->argv[0]) + 1);
if(pam_user == (char *)0)
return pam_return_type ? ERROR(cmd) : DECLINED(cmd);
sstrncpy(pam_user, cmd->argv[0], strlen(cmd->argv[0]) + 1);
pam_pass = malloc(strlen(cmd->argv[1]) + 1);
if(pam_pass == (char *)0)
return pam_return_type ? ERROR(cmd) : DECLINED(cmd);
sstrncpy(pam_pass, cmd->argv[1], strlen(cmd->argv[1]) + 1);
</snippet>
PAM doesn't do it for you though. Which leaves a nice memoryleak.
But since USER/PASS is limited to 3 tries and user changing isn't
supported.
This can't be used as a Denial of service attack against proftpd, unless
the administartor sets a different (higher) limit.
Fix: pstrdup() or just use cmd->argv[0] and cmd->argv[1].
Bug3:
void logformat(char *nickname, char *fmts) doesn't check boundaries on
it's
local variable 'format'. As a result custom logformats could overflow the
buffer. Just a really small thingie :) Could cause some problems though.
Bug3:
int dolist(cmd_rec *cmd, const char *opt, int clearflags) in
modules/mod_ls.c
<snippet>
char pbuffer[MAXPATHLEN];
if(*arg == '~') {
struct passwd *pw;
int i;
const char *p;
i = 0;
p = arg;
p++;
while(*p && *p != '/')
pbuffer[i++] = *p++;
pbuffer[i] = '\0';
</snippet>
This function gets called by cmd_stat, with 'arg' being the
argument of STAT.
This looks really bad and ugly. But isn't really exploitable since the
input
buffer is only 1024 bytes. But it's still insecure programming.
Copyright 2000-2001
lamagra.seKure.de
(5255115) ------------------------------------------(Ombruten)
5274196 2000-07-14 20:03 /121 rader/ Postmaster
Mottagare: Bugtraq (import) <11738>
Ärende: proftpd non-root patch
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
X-Originating-IP: [213.224.83.14]
Mime-version: 1.0
Content-Type: multipart/mixed; boundary="=====================_889472414==_"
Message-ID: <20000714104906.31736.qmail@fiver.freemessage.com>
Date: Fri, 14 Jul 2000 10:49:06 -0000
Reply-To: Lamagra Argamal <lamagra@HACKERMAIL.NET>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Lamagra Argamal <lamagra@HACKERMAIL.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
--=====================_889472414==_
Content-Type: text/plain; charset="us-ascii"
When a proftpd server is running on a high port (> 1024), it doesn't
need root priviledges anymore to bind a dataconnection to the
ftpport-1. My patch checks for this and drops uid 0 after
authentication.
The next snippets are from my proftp-1.2 running on port 2021.
<-snip->
[root@bubbles proftpd-1.2]# ps uax|grep proftpd
lamagra 490 1.5 1.0 1376 1008 ? S 09:28 0:00 proftpd: lamagra - lo
nobody 487 0.0 0.8 1356 776 ? S 09:28 0:00 proftpd (accepting co
[root@bubbles proftpd-1.2]# grep Uid /proc/490/status
Uid: 500 500 500 500
[root@bubbles proftpd-1.2]# grep Gid /proc/490/status
Gid: 500 500 500 500
<-snap->
As you can see it runs fully without priviledges after
authenctication.
---> If you don't like non-standard things, stop reading here <--
My patch also includes an extra option: by setting the option
"NonrootServer" on in the configfile of proftpd, it doesn't use
ftpport-1 as a dataport. It becomes replaced with a dynamicly
assigned (by the kernel) port, these are high ports. If this feature
is selected all priviledges are dropped after authentication. As seen
in the next snippet.
<-snip->
tcp 1 0 localhost:1285 localhost:1284 TIME_WAIT
This is the dataconnection binded to a high port.
ftp 527 0.0 0.8 1396 848 ? S 09:31 0:00 proftpd: ftp - localh
Uid: 14 14 14 14
In proftpd.conf:
NonrootServer on
<-snap->
I don't see any problems with this except that the rfc says ftpport-1. If anyone can see a problem, please contact me as I'd like to know.
-lamagra
http://lamagra.seKure.de
Send someone a cool Dynamitemail flashcard greeting!! And get
rewarded. GO AHEAD!
http://cards.dynamitemail.com/index.php3?rid=fc-41
--=====================_889472414==_
Content-Type: application/octet-stream; name="proftp.patch"
Content-Transfer-Encoding: base64
Content-Description: proftp.patch
Content-Disposition: attachment; filename="proftp.patch"
LS0tIG1vZHVsZXMub2xkL21vZF9hdXRoLmMJVGh1IEp1bCAxMyAxNTo0Njoz
MSAyMDAwCisrKyBtb2R1bGVzL21vZF9hdXRoLmMJVGh1IEp1bCAxMyAxODo1
MjowOSAyMDAwCkBAIC0xMDA0LDYgKzEwMDQsMTMgQEAKICAgfQogI2VuZGlm
CiAKKyAgIGlmKG1haW5fc2VydmVyLT5TZXJ2ZXJQb3J0ID4gMTAyNCB8fCBn
ZXRfcGFyYW1faW50KFRPUExFVkVMX0NPTkYsIk5vbnJvb3RTZXJ2ZXIiLEZB
TFNFKSA9PSAxKQorICAgeworICAgICAgICBsb2dfcHJpKExPR19OT1RJQ0Us
IlJlbW92aW5nIGFsbCBwcml2aWxlZGdlcyIsc2V0cmV1aWQoc2Vzc2lvbi5s
b2dpbl91aWQsc2Vzc2lvbi5sb2dpbl91aWQpKTsKKyAgICAgICAgc2Vzc2lv
bi5vdWlkID0gc2Vzc2lvbi51aWQ7CisgICAgICAgIHNlc3Npb24uZGlzYWJs
ZV9pZF9zd2l0Y2hpbmcgPSBUUlVFOworICAgfQorCiAgIC8qCiAgICAqICBz
ZXNzaW9uLnVpZCA9IHB3LT5wd191aWQ7CiAgICAqLwoKLS0tIG1vZHVsZXMu
b2xkL21vZF9jb3JlLmMJVGh1IEp1bCAxMyAxNTo0NjozMSAyMDAwCisrKyBt
b2R1bGVzL21vZF9jb3JlLmMJVGh1IEp1bCAxMyAxODoxMzo0NCAyMDAwCkBA
IC0xMzIsNiArMTMyLDM0IEBACiAgIHJldHVybiBIQU5ETEVEKGNtZCk7CiB9
CiAKK01PRFJFVCBzZXRfbm9ucm9vdChjbWRfcmVjICpjbWQpCit7CisgIGlu
dCBiOworICBzZXJ2ZXJfcmVjICpzOworCisgIENIRUNLX0FSR1MoY21kLDEp
OworICBDSEVDS19DT05GKGNtZCxDT05GX1JPT1QpOworCisgIGlmKChiID0g
Z2V0X2Jvb2xlYW4oY21kLDEpKSA9PSAtMSkKKyAgICBDT05GX0VSUk9SKGNt
ZCwiZXhwZWN0ZWQgYm9vbGVhbiBhcmd1bWVudC4iKTsKKworICBpZighYikK
KyAgeworICAgIGxvZ19kZWJ1ZyhERUJVRzEsIk5vbnJvb3RzZXJ2ZXIgb2Zm
Iik7CisgICAgcmV0dXJuIEhBTkRMRUQoY21kKTsKKyAgfQorICAKKyAgLyog
Tm9ucm9vdFNlcnZlciBpcyBub3QgYWxsb3dlZCBpZiBhbHJlYWR5IHNldCBz
b21ld2hlcmUgKi8KKyAgZm9yKHMgPSAoc2VydmVyX3JlYyopc2VydmVycy0+
eGFzX2xpc3Q7IHM7IHM9cy0+bmV4dCkKKyAgICBpZihmaW5kX2NvbmZpZyhz
LT5jb25mLENPTkZfUEFSQU0sIk5vbnJvb3RTZXJ2ZXIiLEZBTFNFKSkgewor
ICAgICAgQ09ORl9FUlJPUihjbWQsIk5vbnJvb3RTZXJ2ZXIgaGFzIGFscmVh
ZHkgYmVlbiBzZXQuIik7CisgICAgfQorCisgIGFkZF9jb25maWdfcGFyYW0o
Ik5vbnJvb3RTZXJ2ZXIiLDEsKHZvaWQqKWIpOworICBsb2dfZGVidWcoREVC
VUcxLCJOb25yb290c2VydmVyIG9uIik7CisgIHJldHVybiBIQU5ETEVEKGNt
ZCk7Cit9CisKIE1PRFJFVCBhZGRfdHJhbnNmZXJsb2coY21kX3JlYyAqY21k
KQogewogICBDSEVDS19BUkdTKGNtZCwxKTsKQEAgLTI1OTQsNiArMjYyMiw3
IEBACiAgIHsgIlNlcnZlcklkZW50IiwJCXNldF9zZXJ2ZXJpZGVudCwJCU5V
TEwgfSwKICAgeyAiU2VydmVyVHlwZSIsCQlzZXRfc2VydmVydHlwZSwJCQlO
VUxMIH0sCiAgIHsgIlNlcnZlckFkbWluIiwJCXNldF9zZXJ2ZXJhZG1pbiwJ
CU5VTEwgfSwKKyAgeyAiTm9ucm9vdFNlcnZlciIsICAgICAgICAgICAgc2V0
X25vbnJvb3QsICAgICAgICAgICAgICAgICAgICBOVUxMIH0sCiAgIHsgIlVz
ZVJldmVyc2VETlMiLAkJc2V0X3VzZXJldmVyc2VkbnMsCQlOVUxMIH0sCiAg
IHsgIlNjb3JlYm9hcmRQYXRoIiwJCXNldF9zY29yZWJvYXJkcGF0aCwJCU5V
TEwgfSwKICAgeyAiVHJhbnNmZXJMb2ciLAkJYWRkX3RyYW5zZmVybG9nLAkJ
TlVMTCB9LAoKLS0tIHNyYy5vbGQvZGF0YS5jCVRodSBKdWwgMTMgMTU6NDY6
MjUgMjAwMAorKysgc3JjL2RhdGEuYwlUaHUgSnVsIDEzIDE4OjE2OjUyIDIw
MDAKQEAgLTE3NiwxMCArMTc2LDE3IEBACiAJaWYoIXJlYXNvbiAmJiBzZXNz
aW9uLnhmZXIuZmlsZW5hbWUpCiAJCXJlYXNvbiA9IHNlc3Npb24ueGZlci5m
aWxlbmFtZTsKIAotCXNlc3Npb24uZCA9IGluZXRfY3JlYXRlX2Nvbm5lY3Rp
b24oc2Vzc2lvbi5wb29sLE5VTEwsLTEsCisgICAgICAgIGlmKGdldF9wYXJh
bV9pbnQoVE9QTEVWRUxfQ09ORiwiTm9ucm9vdFNlcnZlciIsRkFMU0UpICE9
IDEpCisJICAgIHNlc3Npb24uZCA9IGluZXRfY3JlYXRlX2Nvbm5lY3Rpb24o
c2Vzc2lvbi5wb29sLE5VTEwsLTEsCiAJCQkJCXNlc3Npb24uYy0+bG9jYWxf
aXBhZGRyLAogCQkJCQlzZXNzaW9uLmMtPmxvY2FsX3BvcnQtMSxUUlVFKTsK
LQorICAgICAgICBlbHNlCisgICAgICAgIHsKKwkgICAgc2Vzc2lvbi5kID0g
aW5ldF9jcmVhdGVfY29ubmVjdGlvbihzZXNzaW9uLnBvb2wsTlVMTCwtMSwK
KwkJCQkJc2Vzc2lvbi5jLT5sb2NhbF9pcGFkZHIsCisJCQkJCUlOUE9SVF9B
TlksVFJVRSk7CisgICAgICAgICAgIGxvZ19kZWJ1ZyhERUJVRzEsIk5vbnJv
b3QgY29ubmVjdGlvbiIpOworICAgICAgICB9CiAJLyogU2V0IHRoZSAic3Rh
bGxlZCIgdGltZXIsIGlmIGFueSwgdG8gcHJldmVudCB0aGUgY29ubmVjdGlv
bgogICAgICAgICAgKiBvcGVuIGZyb20gdGFraW5nIHRvbyBsb25nCiAgICAg
ICAgICAqLwo=
--=====================_889472414==_--
(5274196) ------------------------------------------(Ombruten)