Bugtraq: Re: proftp advisory

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: proftp advisory

From: drow () FALSE ORG (Daniel Jacobowitz)
Date: Wed, 5 Jul 2000 15:27:27 -0700


On Mon, Jul 03, 2000 at 12:40:54PM +0200, lamagra wrote:

Bug1:
  void set_proc_title(char *fmt,...) in src/main.c

  <snippet>
  memset(statbuf, 0, sizeof(statbuf));
  vsnprintf(statbuf, sizeof(statbuf), fmt, msg);

  #ifdef HAVE_SETPROCTITLE
      setproctitle(statbuf);
  #endif /* HAVE_SETPROCTITLE */
  </snippet>

  setproctitle, defined setproctitle(char *fmt,...);, calls vsnprintf().
  This makes it vulnerable for formatattacks. By carefully outlining the
  attackbuffer it's possible to gain root priviledges.

  Fix: use setproctitle("%s",statbuf);


Note that this is a problem only if you have a setproctitle() in libc
(or libutil).  Linux does not (glibc 2.x), and I don't believe Solaris
does either.

Dan

/--------------------------------\  /--------------------------------\
|       Daniel Jacobowitz        |__|        SCS Class of 2002       |
|   Debian GNU/Linux Developer    __    Carnegie Mellon University   |
|         dan () debian org         |  |       dmj+ () andrew cmu edu      |
\--------------------------------/  \--------------------------------/

<HR NOSHADE>
<UL>
<LI>application/pgp-signature attachment: stored
</UL>

By Date By Thread

Current thread:

Oracle Web Listener for AIX DoS, (continued)
- Re: WuFTPD: Providing *remote* root since at least1994 Sebastian (Jul 01)
- Re: WuFTPD: Providing *remote* root since at least1994 Lamagra Argamal (Jul 01)
- Re: WuFTPD: Providing *remote* root since at least1994 Przemyslaw Frasunek (Jul 01)
- Re: WuFTPD: Providing *remote* root since at least1994 Vitaliy Andrusevich (Jul 04)