[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

atftpd vulnerability and patch?

http://packetstorm.linuxsecurity.com/filedesc/atftpdx.c.html says: Proof
of concept remote root exploit for atftpd version 0.6. Makes use of the
filename overflow found by Rick Patel. Related post here. Tested against
Debian 3.0. By gunzip

http://packetstorm.linuxsecurity.com/filedesc/atftpd.patch.html says:
Simple patch to fix the overflow found in atftpd by Rick Patel. By gunzip

The patch is:
--- tftpd_file.c	Tue Mar 12 05:26:18 2002
+++ tftpd_file_diff.c	Thu Jun  5 20:31:06 2003
@@ -357,7 +357,8 @@
           strcpy(filename, directory);
-          strncat(filename, data->tftp_options[OPT_FILENAME].value, VAL_SIZE);
+          strncat(filename, data->tftp_options[OPT_FILENAME].value,
+		VAL_SIZE - strlen( directory ) - 1 );

      /* If the filename contain /../ sequences, we forbid the access */

http://packages.qa.debian.org/a/atftp.html shows:
[2002-04-24] Accepted atftp (source hppa)
[2002-04-13] Accepted atftp 0.6.1 (i386 source)
[2002-03-31] Accepted atftp 0.6 (i386 source)
[2002-02-11] Installed atftp 0.5 (i386 source)
[2001-07-21] Installed atftp 0.4 (i386 source)
[2001-03-05] Installed atftp 0.3 (i386 source)
[2000-12-27] Installed atftp 0.2 (i386 source)
[2000-08-21] Installed atftp 0.1 (source i386)

Stable 0.6

I'm guessing atftp is vulnerable, but without checking I won't file a bug.
Checking the code should be easy, but checking if this could actualy be
exploited would take a bit more thought. If stable is actualy vulnerable
and exploitable then the security team should be co-ordinated with.

     Drew Daniels

Reply to: