[ SOURCE: http://www.secureroot.com/security/advisories/9761550064.html ]

There is a malformed vsprintf in bftpd 1.0.12 in function sendstrf:



int sendstrf(int s, char *format, ...) {

 ....

  vsprintf(buffer, format, val);



when the function is called from NLIST command:



  else

      foo = 1;

      sendstrf(s, entry->d_name);

    }



This can be used to overflow the buffer of the vsprintf and execute

arbitrary code. I don't think it can be normally used for a remote attack

because bftpd removes all non-printable characters from input strings and

so it is not possible to remotely put a shellcode in a filename.

A dimostrative code is attached.





asynchro@pkcrew.org

www.pkcrew.org