COMMAND

    ftpd

SYSTEMS AFFECTED

    QNX RTP ftpd

PROBLEM

    Przemyslaw Frasunek found following.   QNX RTP uses a BSD  derived
    FTP server, which is vulnerable to strtok() based stack  overflow.
    Offending code from ftpd/popen.c:

        char **pop, *argv[100], *gargv[1000], *vv[2];

        for (argc = 0, cp = program;; cp = NULL)
                if (!(argv[argc++] = strtok(cp, " \t\n")))
                        break;

        /* glob each piece */
        gargv[0] = argv[0];
        for (gargc = argc = 1; argv[argc]; argc++) {
            argv[argc] = strdup(argv[argc]);

    Code is  called, when  STAT command  is issued.   Overflow occurs,
    when large number of arguments is applied.

    Identifing vulnerable system:

        220 quics.qnx.com FTP server (Version 5.60) ready.
        user ftp
        331 Guest login ok, send ident as password.
        pass dupa
        230 Guest login ok, access restrictions apply.
        stat a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a
        Connection closed by foreign host.

    Old BSD derived ftpd is also  used in opieftpd and SSLftpd.   Both
    are vulnerable to this attack.

    In case anyone is wondering how old is old:

        revision 1.5
        date: 1996/11/20 22:12:50;  author: pst;  state: Exp;  lines: +9 -5
        Truncate argument list to avoid buffer overflows.

        Cannidate for: 2.1 and 2.2

    The  same   problem  persists   in  heimdal   /  kerberosIV   ftpd
    implementation:

        heimdal/appl/ftp/ftpd/popen.c and kerberosIV/appl/ftp/ftpd/popen.c:

        char **pop, *argv[100], *gargv[1000];

        /* break up string into pieces */
        foo = NULL;
        for (argc = 0, cp = program;; cp = NULL) {
                if (!(argv[argc++] = strtok_r(cp, " \t\n", &foo)))
                        break;
        }

    Both are based on BSD derived ftpd version 6.00.

    Rob Seace confirmed  this same behavior  with the FTP  server that
    ships with QNX 4.25  (their highly expensive previous  RTOS, which
    is  NOT  available  for  free  download)...   The  FTP server also
    reports the same  "Version 5.60", so  we imagine they  are one and
    the same, anyway...

SOLUTION

    Nothing yet.