atftpd vulnerability and patch?
http://packetstorm.linuxsecurity.com/filedesc/atftpdx.c.html says: Proof
of concept remote root exploit for atftpd version 0.6. Makes use of the
filename overflow found by Rick Patel. Related post here. Tested against
Debian 3.0. By gunzip
http://packetstorm.linuxsecurity.com/filedesc/atftpd.patch.html says:
Simple patch to fix the overflow found in atftpd by Rick Patel. By gunzip
The patch is:
--- tftpd_file.c Tue Mar 12 05:26:18 2002
+++ tftpd_file_diff.c Thu Jun 5 20:31:06 2003
@@ -357,7 +357,8 @@
else
{
strcpy(filename, directory);
- strncat(filename, data->tftp_options[OPT_FILENAME].value, VAL_SIZE);
+ strncat(filename, data->tftp_options[OPT_FILENAME].value,
+ VAL_SIZE - strlen( directory ) - 1 );
}
/* If the filename contain /../ sequences, we forbid the access */
http://packages.qa.debian.org/a/atftp.html shows:
[2002-04-24] Accepted atftp 0.6.1.1 (source hppa)
[2002-04-13] Accepted atftp 0.6.1 (i386 source)
[2002-03-31] Accepted atftp 0.6 (i386 source)
[2002-02-11] Installed atftp 0.5 (i386 source)
[2001-07-21] Installed atftp 0.4 (i386 source)
[2001-03-05] Installed atftp 0.3 (i386 source)
[2000-12-27] Installed atftp 0.2 (i386 source)
[2000-08-21] Installed atftp 0.1 (source i386)
and:
Testing 0.6.1.1
Stable 0.6
I'm guessing atftp is vulnerable, but without checking I won't file a bug.
Checking the code should be easy, but checking if this could actualy be
exploited would take a bit more thought. If stable is actualy vulnerable
and exploitable then the security team should be co-ordinated with.
Drew Daniels
Reply to: