Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Re: ProFTPD
From: pb () ECLIPSE CERTIX FR (pb () ECLIPSE CERTIX FR)
Date: Wed, 1 Sep 1999 11:35:11 +0200

Hi,
Note that user takes the value "Note that user takes the value "user () host" given at password prompt
for anonymous access (forgetting any potential dns attacks into remhost)
This allows anyone to smash the stack just with an anonymous access
and a file to download.
(see last published exploits.)

Regards,
Pascal

On Mon, Aug 30, 1999 at 07:42:44PM +1200, Nic Bellamy wrote:

-  sprintf(buf,"%s %d %s %lu %s %c _ %c %c %s ftp 0 *\n",
+  snprintf(buf,sizeof(buf),"%s %d %s %lu %s %c _ %c %c %s ftp 0 *\n",
           fmt_time(time(NULL)),xfertime,remhost,fsize,
           fname,xfertype,direction,access,user);

To exploit the bug, the attacker must have permission to create
directories and store files.

Regards,
      Nic.

-- Nic Bellamy <sky () wibble net>
   J. Random Coder.


--
Pascal Bouchareine
Administration systemes/reseaux - CERTIX
Tel: +33 1 40 34 43 57
Fax: +33 1 40 35 09 98

  By Date           By Thread  

Current thread:
  • Re: ProFTPD Daniel Jacobowitz (Aug 31)
    • <Possible follow-ups>
    • Re: ProFTPD pb () ECLIPSE CERTIX FR (Sep 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]