COMMAND
proftpd
SYSTEMS AFFECTED
proftpd-1.2.0.pre6
PROBLEM
Tymm Twillman found following. It was tested on Linux with
standard RedHat 6.0 install (w/glibc 2.0 compatability), proftpd
installed with configure/make/make install...
- ftp to host
- login (anonymous or no)
ftp> ls aaaXXXX%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%653300u%n
(replace the X's with the characters with ascii values 0xdc,
0x4f, 0x07,0x08 consecutively)
Lots of other nasties can easily be easily done with this. Since
proftpd will pass on user input data to snprintf, argument attacks
are easy. The a's at the beginning are just for alignment, the
%u's to skip bytes in the stack, the %653300u is to increment the
# of bytes that have been "output", and the %n stores that value
(whose LSBs have now flipped over to 0) to the location pointed
to by the current "argument" -- which just happens to point right
after the a's in this string. The bytes that replace the X's are
the address where proftpd keeps the current user ID...
Logging in as an anonymous user, you are still restricted as to
some of the things you can do. With a local login, root
compromise at this point is trivial. And it is very possible to
modify this exploit for other systems, and for nastier attacks.
SOLUTION
Hm, another upgrade or another ftpd? It's up to you. Here's the
patch. Note that there are other potential problems. Anyhow,
here's the patch:
--- proftpd-1.2.0pre6.old/src/main.c Fri Sep 10 15:49:32 1999
+++ proftpd-1.2.0pre6/src/main.c Thu Sep 16 01:50:43 1999
@@ -379,7 +379,7 @@
#if PF_ARGV_TYPE == PF_ARGV_WRITEABLE
/* We can overwrite individual argv[] arguments. Semi-nice.
*/
- snprintf(Argv[0], maxlen, statbuf);
+ snprintf(Argv[0], maxlen, "%s", statbuf);
p = &Argv[0][i];
while(p < LastArgv)
Proftpd 1.2.0pre7 should be out ; please UPGRADE ASAP. There are
also other issues addressed in this release that may or may not
have serious security implications. Location is:
ftp://ftp.tos.net:/pub/proftpd/