[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Remote hole in ftpd that can lead to root compromise

To: bugs@openbsd.org
Subject: Remote hole in ftpd that can lead to root compromise
From: Kristian Vlaardingerbroek <kris@obit.nl>
Date: Mon, 04 Dec 2000 11:52:48 +0100
Organization: OBIT bv

Hi,

Well I'm sorry to report you that your 3 years of remote safeness have
just ended. Due to a off-by-one bug in the void replydirname(name,
message), it is possible to gain remote root on an OpenBSD machine (and
any other OS capable of running the BSD ftpd daemon).

void
replydirname(name, message)
        const char *name, *message;
{
        char npath[MAXPATHLEN];
        int i;
        for (i = 0; *name != '\0' && i < sizeof(npath) - 1; i++, name++)
{
                npath[i] = *name;
                if (*name == '"')
                        npath[++i] = '"';
        }
        npath[i] = '\0';
        reply(257, "\"%s\" %s", npath, message);
}

If MAXPATHLEN is reached, "npath[i] = '\0';" writes to
npath[MAXPATHLEN+1].

The fix is very simple, just change char npath[MAXPATHLEN]; to char
npath[MAXPATHLEN+1];

There isn't a public exploit available yet, but I know of a private one
that could be released sooner or later.

I hope I've informed you enough with this message.

Regards,

Kristian Vlaardingerbroek
Security Specialist
OBIT bv.

Follow-Ups:
- Re: Remote hole in ftpd that can lead to root compromise
  - From: John Wright <john@dryfish.org>
- Re: Remote hole in ftpd that can lead to root compromise
  - From: Camiel Dobbelaar <dobbe@xs4all.nl>

Prev by Date: Re: kernel/1541
Next by Date: Re: Remote hole in ftpd that can lead to root compromise
Prev by thread: Re: kernel/1541
Next by thread: Re: Remote hole in ftpd that can lead to root compromise
Index(es):
- Date
- Thread