Bugtraq: Re: ProFTPD

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: ProFTPD

From: drow () FALSE ORG (Daniel Jacobowitz)
Date: Tue, 31 Aug 1999 16:48:18 -0400


On Sun, Aug 29, 1999 at 11:27:48AM -0300, dumped wrote:

Here goes the fix.


dumped
Sekure SDI


Or not.

@@ -181,7 +186,7 @@

   /* otherwise everthing is good */
   p = mod_privdata_alloc(cmd,"stor_filename",strlen(dir)+1);
-  strcpy(p->value.str_val,dir);
+  strncpy(p->value.str_val, dir, strlen(p->value.str_val));


Notice p was returned from a mod_privdata_alloc which is more than big
enough.  Not to mention, as someone pointed out, that strlen() can't
possibly be what you meant.

Nic's patch also did not fix the problem, here.  Attached is one that
did.

There's a couple other places in ProFTPd which strike me as, if not
insecure, at least insufficiently paranoid; I'll pass along a patch for
those to proftpd-l later.

Dan

/--------------------------------\  /--------------------------------\
|       Daniel Jacobowitz        |__|        SCS Class of 2002       |
|   Debian GNU/Linux Developer    __    Carnegie Mellon University   |
|         dan () debian org         |  |       dmj+ () andrew cmu edu      |
\--------------------------------/  \--------------------------------/


--- ../../orig/proftpd-1.2.0pre4/src/support.c  Thu Mar  4 19:29:21 1999
+++ support.c   Tue Aug 31 14:52:03 1999
@@ -582,7 +582,7 @@ char *sreplace(pool *p, char *s, ...)
   char **mptr,**rptr;
   char *marr[33],*rarr[33];
   char buf[1024];
-  int mlen = 0,rlen = 0;
+  int mlen = 0,rlen = 0, done = 0;

   cp = buf;

@@ -600,12 +600,16 @@ char *sreplace(pool *p, char *s, ...)

   va_end(args);

-  while(*src) {
+  while(*src && !done) {
     for(mptr = marr, rptr = rarr; *mptr; mptr++, rptr++) {
       mlen = strlen(*mptr);
       rlen = strlen(*rptr);

       if(strncmp(src,*mptr,mlen) == 0) {
+        if(cp + rlen > buf + 1023) {
+          done = 1;
+          break;
+        }
         strcpy(cp,*rptr);
         cp += rlen;
         src += mlen;
@@ -613,8 +617,11 @@ char *sreplace(pool *p, char *s, ...)
       }
     }

-    if(!*mptr)
+    if(!*mptr) {
+      if(cp > buf + 1022)
+        break;
       *cp++ = *src++;
+    }
   }

   *cp = '\0';

By Date By Thread

Current thread:

Re: ProFTPD Daniel Jacobowitz (Aug 31)
- <Possible follow-ups>
- Re: ProFTPD pb () ECLIPSE CERTIX FR (Sep 01)