re: [lamagra@DIGIBEL.ORG: proftp advisory]

To: Johan Bucht <bucht@hem.utfors.se>
Cc: debian-security@lists.debian.org
Subject: re: [lamagra@DIGIBEL.ORG: proftp advisory]
From: Alexander Hvostov <vulture@aoi.dyndns.org>
Date: Wed, 5 Jul 2000 17:33:17 -0700 (PDT)
Message-id: <[🔎] Pine.LNX.4.21.0007051733020.31804-100000@cornerstone.core.aoi>
In-reply-to: <[🔎] 000501bfe6da$19ab9f00$0901a8c0@Dator>

Johan,

It still needs to be fixed, and I'm glad someone decided to audit proftpd.

Regards,

Alex.

---
PGP/GPG Fingerprint:
  EFD1 AC6C 7ED5 E453 C367  AC7A B474 16E0 758D 7ED9

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM>CC/IT d- s:+ a16 C++(++++)>$ UL++++>$ P---() L+++>+ E+>+ W+(-) N o? K? w--() 
!O M- !V PS+>+ PE- Y+ PGP t+ !5 X-- !R tv b DI D++ 
G>+++ e-- h! !r y 
------END GEEK CODE BLOCK------

On Thu, 6 Jul 2000, Johan Bucht wrote:

> Bug 1: 
> In proftpd you have the option of running as nobody so it shouldn't be much trouble.
> So anyone running as root could easily change it...
> Oh well, just my 5 cents
> 
> /Johan 
> 
> ----- Original Message ----- 
> From: Chris Hanlon <chanlon@amavi.com>
> To: <debian-security@lists.debian.org>
> Sent: Thursday, July 06, 2000 12:39 AM
> Subject: [lamagra@DIGIBEL.ORG: proftp advisory]
> 
> 
> > ----- Forwarded message from lamagra <lamagra@DIGIBEL.ORG> -----
> > 
> > Delivered-To: chanlon@AMAVI.COM
> > Approved-By: aleph1@SECURITYFOCUS.COM
> > Delivered-To: bugtraq@lists.securityfocus.com
> > Delivered-To: bugtraq@securityfocus.com
> > X-Mailer: Spruce 0.6.2 for X11 w/smtpio 0.7.6
> > Date:         Mon, 3 Jul 2000 12:40:54 CEST
> > Reply-To: lamagra@digibel.org
> > From: lamagra <lamagra@DIGIBEL.ORG>
> > Subject:      proftp advisory
> > X-To:         macgyver@tos.net
> > To: BUGTRAQ@SECURITYFOCUS.COM
> > 
> >     ___________________________________________________
> > http://lamagra.seKure.de: advisory #1
> > 
> > Advisory: misc. bugs
> > Programname: proftpd
> > Versions: 1.2.0 <= pre10
> > Vendor: proftpd.net
> > Severity: high (root shell) and low
> > Contact: lamagra@digibel.org
> > 
> > Bug1:
> >   void set_proc_title(char *fmt,...) in src/main.c
> > 
> >   <snippet>
> >   memset(statbuf, 0, sizeof(statbuf));
> >   vsnprintf(statbuf, sizeof(statbuf), fmt, msg);
> > 
> >   #ifdef HAVE_SETPROCTITLE
> >   setproctitle(statbuf);
> >   #endif /* HAVE_SETPROCTITLE */
> >   </snippet>
> > 
> >   setproctitle, defined setproctitle(char *fmt,...);, calls vsnprintf().
> >   This makes it vulnerable for formatattacks. By carefully outlining the
> >   attackbuffer it's possible to gain root priviledges.
> > 
> >   Fix: use setproctitle("%s",statbuf);
> > 
> > Bug2:
> >   MODRET pam_auth(cmd_rec *cmd) in modules/mod_pam.c
> > 
> >   <snippet>
> >   /* Allocate our entries...we don't free this because PAM does this for
> > us.
> >    */
> >   pam_user = malloc(strlen(cmd->argv[0]) + 1);
> >   if(pam_user == (char *)0)
> >     return pam_return_type ? ERROR(cmd) : DECLINED(cmd);
> >   sstrncpy(pam_user, cmd->argv[0], strlen(cmd->argv[0]) + 1);
> > 
> >   pam_pass = malloc(strlen(cmd->argv[1]) + 1);
> >   if(pam_pass == (char *)0)
> >     return pam_return_type ? ERROR(cmd) : DECLINED(cmd);
> >   sstrncpy(pam_pass, cmd->argv[1], strlen(cmd->argv[1]) + 1);
> >   </snippet>
> > 
> >   PAM doesn't do it for you though. Which leaves a nice memoryleak.
> >   But since USER/PASS is limited to 3 tries and user changing isn't
> > supported.
> >   This can't be used as a Denial of service attack against proftpd, unless
> >   the administartor sets a different (higher) limit.
> > 
> >   Fix: pstrdup() or just use cmd->argv[0] and cmd->argv[1].
> > 
> > Bug3:
> >   void logformat(char *nickname, char *fmts) doesn't check boundaries on
> > it's
> >   local variable 'format'. As a result custom logformats could overflow the
> >   buffer. Just a really small thingie :) Could cause some problems though.
> > 
> > Bug3:
> >   int dolist(cmd_rec *cmd, const char *opt, int clearflags) in
> > modules/mod_ls.c
> >   <snippet>
> >      char   pbuffer[MAXPATHLEN];
> > 
> >      if(*arg == '~') {
> >         struct passwd *pw;
> >         int i;
> >         const char *p;
> > 
> >         i = 0;
> >         p = arg;
> >         p++;
> > 
> >         while(*p && *p != '/')
> >           pbuffer[i++] = *p++;
> >         pbuffer[i] = '\0';
> >    </snippet>
> > 
> >    This function gets called by cmd_stat, with 'arg' being the argument of
> > STAT.
> >    This looks really bad and ugly. But isn't really exploitable since the
> > input
> >    buffer is only 1024 bytes. But it's still insecure programming.
> > 
> > 
> > Copyright 2000-2001
> > lamagra.seKure.de
> > 
> > ----- End forwarded message -----
> > 
> > 
> > --  
> > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> > 
> 
> 
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>

Reply to:

Follow-Ups:
- Re: [lamagra@DIGIBEL.ORG: proftp advisory]
  - From: Wichert Akkerman <wichert@cistron.nl>

References:
- re: [lamagra@DIGIBEL.ORG: proftp advisory]
  - From: Johan Bucht <bucht@hem.utfors.se>

Prev by Date: re: [lamagra@DIGIBEL.ORG: proftp advisory]
Next by Date: Re: HHHEEEEEEEEELLLLLLLLPPPPPPPP!!!!!!!!!!
Previous by thread: re: [lamagra@DIGIBEL.ORG: proftp advisory]
Next by thread: Re: [lamagra@DIGIBEL.ORG: proftp advisory]
Index(es):
- Date
- Thread