|
Bugtraq
mailing list archives
Re: proftp advisory
From: vision () WHITEHATS COM (Max Vision)
Date: Wed, 5 Jul 2000 14:23:19 -0700
Hi!
I accidentally discovered Bug1 on 4/20/00 when playing with ProFTP
1.2.0pre10 on OpenBSD. However, credit for knowing what the problem was
and providing a patch go to David MacKenzie. :)
You can see our comments at:
http://bugs.proftpd.net/show_bug.cgi?id=121
--- src/main.c 2000/01/13 01:47:02 1.3
+++ src/main.c 2000/04/29 19:22:18
@@ -377,7 +377,7 @@
vsnprintf(statbuf, sizeof(statbuf), fmt, msg);
#ifdef HAVE_SETPROCTITLE
- setproctitle(statbuf);
+ setproctitle("%s", statbuf);
#endif /* HAVE_SETPROCTITLE */
va_end(msg);
Max
On Mon, 3 Jul 2000, lamagra wrote:
___________________________________________________
http://lamagra.seKure.de: advisory #1
Advisory: misc. bugs
Programname: proftpd
Versions: 1.2.0 <= pre10
Vendor: proftpd.net
Severity: high (root shell) and low
Contact: lamagra () digibel org
Bug1:
void set_proc_title(char *fmt,...) in src/main.c
<snippet>
memset(statbuf, 0, sizeof(statbuf));
vsnprintf(statbuf, sizeof(statbuf), fmt, msg);
#ifdef HAVE_SETPROCTITLE
setproctitle(statbuf);
#endif /* HAVE_SETPROCTITLE */
</snippet>
setproctitle, defined setproctitle(char *fmt,...);, calls vsnprintf().
This makes it vulnerable for formatattacks. By carefully outlining the
attackbuffer it's possible to gain root priviledges.
Fix: use setproctitle("%s",statbuf);
 By Date 
By Thread
Current thread:
- Re: remote crash BitchX 1.0c16, (continued)
|
Intro
