Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps A-M :: bt1666.txt

DoS in PureFTPd







PureFTPd all versions vulnerability.



I.  Entry.



    Vuln are all version deamons PureFTP. There is DoS bug.



II. Vulnerability details.



    Vulnerability function is displayrate(). There is simple

overflow bug (DoS):



"in file src/ftpd.c"

static void displayrate(const char *word, off_t size,

                        const double started,

                        const char * const name, int up)

{

...

...

        char *resolved_path;

...

...

        if (realpath(name, resolved_path) == NULL) {

...

...

        if (resolved_path[sizeof_resolved_path - 1U] != 0) {

            for (;;) {

                *resolved_path++ = 0;

            }

        }

...

...

}



Function realpath() is write by autor PureFTP. We can find her

in file src/bsd-realpath.c. This function write string to resolved_path

and next call to if check the memory, and when are written in

specific place, than loop for() do DoS.



Now look at simple program to test it. Here is it:



"test.c"

#include <stdio.h>

#include <stdlib.h>



#define MAX 65536U

int main(int argc, char *argv[])

{

   char *resolved;

   const size_t sizeof_resolved_path = MAX + 1U;

int error_func()

     {



   if(resolved[sizeof_resolved_path - 1U] != 0)

     {



        for( ; ; )

          {

             *resolved++ = 0;

          }

     }

     }

   printf("Just a small test for DoS in pureftpd\n");



          error_func();



          printf("if you see this msg the error dosent exist\n");



}



Ok we have here the situaction like in PureFTP. Now compile that test program

and run with gdb. Here:



GNU gdb 5.2

Copyright 2002 Free Software Foundation, Inc.

GDB is free software, covered by the GNU General Public License, and you

are

welcome to change it and/or distribute copies of it under certain

conditions.

Type "show copying" to see the conditions.

There is absolutely no warranty for GDB.  Type "show warranty" for

details.

This GDB was configured as "i386-slackware-linux"...

(gdb) r

Starting program: /home/tyytus/code/DoS/test

Just a small test for DoS in pureftpd



Program received signal SIGSEGV, Segmentation fault.

0x08048364 in error_func.0 ()

(gdb)



We have DoS and program write '0' in bad memory ;]



III. Exploit.



    Nah :-) We don't coded yet :(



--

pi3 (pi3ki31ny) - pi3ki31ny@wp.pl (Thx to tajtus for test and Azido)

http://www.pi3.int.pl



"Pytanie nie brzmi jak? Tylko poco?"




TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH