SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   Wu-ftpd Vendors:   WU-FTPD Development Group
wu-ftpd MAIL_ADMIN Option May Let Remote Authenticated Users Execute Arbitrary Code
SecurityTracker Alert ID:  1007775
SecurityTracker URL:  http://securitytracker.com/id/1007775
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 22 2003
Impact:   Execution of arbitrary code via network

Version(s): 2.6.2 and prior versions
Description:   A vulnerability was reported in wu-ftpd when in a non-default configuration (MAIL_ADMIN). A remote authenticated user may be able to execute arbitrary code.

It is reported that when the daemon is configured to send e-mail messages containing the uploaded file names (i.e., compiled with MAIL_ADMIN option), a buffer overflow in the SockPrintf() function in 'ftpd.c' can be triggered by a remote authenticated user uploading a file with a malicious file name.

According to the report, the store() function in 'ftpd.c' calls the vulnerable SockPrintf() function with the user-supplied file name that can be up to 32768 characters, whereas that 'pathname' variable is defined to be MAXPATHLEN characters (typically 4095 on Linux systems).

A remote authenticated user with file upload privileges may be able to execute arbitrary code on the target system with the privileges of the wu-ftpd process (however, that was not confirmed).

Impact:   A remote authenticated user with file upload privileges may be able to execute arbitrary code with the privileges of the wu-ftpd process.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.wuftpd.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 25 2003 (Slackware Issues Fix) wu-ftpd MAIL_ADMIN Option May Let Remote Authenticated Users Execute Arbitrary Code
Slackware has released a fix.



 Source Message Contents

Subject:  Wu_ftpd all versions (not) vulnerability.




I.  Entry.

    (Not) Vuln are all version deamons wu_ftp; not in default installation.
When we use option where deamon send e-mail with name of uploaded files,
deamon use function store() and next SockPrintf().

II. Vulnerability details.

    Vulnerability function is SockPrintf(). There is buffer
overflow bug (remote), when function use vsprintf():

"in file src/ftpd.c"
int SockPrintf(FILE *sockfp, char *format,...)
{
    va_list ap;
    char buf[32768];

    va_start(ap, format);
    vsprintf(buf, format, ap);
    va_end(ap);
    return SockWrite(buf, 1, strlen(buf), sockfp);
}

Buf is char array (32768). Argument *format is used by vsprintf.
Now look to function store():

"in file src/ftpd.c"
void store(char *name, char *mode, int unique)
{
...
...
#ifdef MAIL_ADMIN
...
...
        SockPrintf(sck, "From: wu-ftpd <%s>\r\n", mailfrom);
        SockPrintf(sck, "Subject: New file uploaded: %s\r\n\r\n", name);
...
        SockPrintf(sck, "%s uploaded %s from %s.\r\nFile size is %d.\r\n
Please move the file where it belongs.\r\n",guestpw, pathname, remotehost, byte_count);
...
#endif /* MAIL_ADMIN */
...
...
}

In this function we have control with argument name and in theory we can do remote overflow by call:

        SockPrintf(sck, "Subject: New file uploaded: %s\r\n\r\n", name);

... but in the system (linux) is restriction for path_name = 4095 and in this example we should build minimum path_name = 32778 :-)
 (Shall it is possibly to bypass it?)

III. Exploit.

    Nah :-) Read second section :P

--
pi3 (piekielny / pi3ki31ny) - pi3ki31ny@wp.pl
http://www.pi3.int.pl

"Fuck the system - FTS"
"Kochaj mamusie i przyjaciol :D"

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC