linux, säkerhet

10727197 2003-09-22 12:44 +0000 /69 rader/ Adam Zabrocki <pi3ki31ny@wp.pl>
Importerad: 2003-09-22 19:34 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <29130>
Ärende: Wu_ftpd all versions (not) vulnerability.
------------------------------------------------------------
From: Adam Zabrocki <pi3ki31ny@wp.pl>
To: bugtraq@securityfocus.com
Message-ID: <20030922124416.31517.qmail@sf-www1-symnsj.securityfocus.com>



I.  Entry.

    (Not) Vuln are all version deamons wu_ftp; not in default
installation.  When we use option where deamon send e-mail with name
of uploaded files, deamon use function store() and next SockPrintf().

II. Vulnerability details.

    Vulnerability function is SockPrintf(). There is buffer
overflow bug (remote), when function use vsprintf():

"in file src/ftpd.c"
int SockPrintf(FILE *sockfp, char *format,...)
{
    va_list ap;
    char buf[32768];

    va_start(ap, format);
    vsprintf(buf, format, ap);
    va_end(ap);
    return SockWrite(buf, 1, strlen(buf), sockfp);
}

Buf is char array (32768). Argument *format is used by vsprintf.
Now look to function store():

"in file src/ftpd.c"
void store(char *name, char *mode, int unique)
{
...
...
#ifdef MAIL_ADMIN
...
...
        SockPrintf(sck, "From: wu-ftpd <%s>\r\n", mailfrom);
        SockPrintf(sck, "Subject: New file uploaded: %s\r\n\r\n",
name); ...
        SockPrintf(sck, "%s uploaded %s from %s.\r\nFile size is %d.\r\n
Please move the file where it belongs.\r\n",guestpw, pathname, remotehost, byte_count);
...
#endif /* MAIL_ADMIN */
...
...
}

In this function we have control with argument name and in theory we
can do remote overflow by call:

        SockPrintf(sck, "Subject: New file uploaded: %s\r\n\r\n",
name);

... but in the system (linux) is restriction for path_name = 4095 and
in this example we should build minimum path_name = 32778 :-) (Shall
it is possibly to bypass it?)

III. Exploit.

    Nah :-) Read second section :P

--
pi3 (piekielny / pi3ki31ny) - pi3ki31ny@wp.pl
http://www.pi3.int.pl

"Fuck the system - FTS"
"Kochaj mamusie i przyjaciol :D"
(10727197) /Adam Zabrocki <pi3ki31ny@wp.pl>/(Ombruten)
10733194 2003-09-22 23:00 +0000 /24 rader/ Marcin Ulikowski <r3b00t@tx.pl>
Importerad: 2003-09-23 20:49 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: r3b00t@tx.pl
Mottagare: Bugtraq (import) <29147>
Ärende: Re: Wu_ftpd all versions (not) vulnerability.
------------------------------------------------------------
From: "Marcin Ulikowski" <r3b00t@tx.pl>
To: bugtraq@securityfocus.com
Message-ID: <20030922204742.22766.qmail@mail.securityfocus.com>

From: Adam Zabrocki <pi3ki31ny@wp.pl>
> .... but in the system (linux) is restriction for path_name = 4095 and in
this example we should build minimum path_name = 32778 :-) (Shall it is
possibly to bypass it?)

Linux 2.2.x and some early 2.4.x kernel versions defines PATH_MAX to
be 4095 characters, thus only wu_ftpd binaries compiled on 2.0.x or
later 2.4.x kernels can be affected.

--
-------------------------------
r3b00t ~ [http://r3b00t.tx.pl/]
just do main(){while(1)fork();}
-------------------------------


________________________________________________
http://tx.pl - Konta WWW + PHP + MySQL
(10733194) /Marcin Ulikowski <r3b00t@tx.pl>/(Ombruten)