Johan, It still needs to be fixed, and I'm glad someone decided to audit proftpd.
Regards, Alex. --- PGP/GPG Fingerprint: EFD1 AC6C 7ED5 E453 C367 AC7A B474 16E0 758D 7ED9 -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS/CM>CC/IT d- s:+ a16 C++(++++)>$ UL++++>$ P---() L+++>+ E+>+ W+(-) N o? K? w--() !O M- !V PS+>+ PE- Y+ PGP t+ !5 X-- !R tv b DI D++ G>+++ e-- h! !r y ------END GEEK CODE BLOCK------ On Thu, 6 Jul 2000, Johan Bucht wrote: > Bug 1: > In proftpd you have the option of running as nobody so it shouldn't be much > trouble. > So anyone running as root could easily change it... > Oh well, just my 5 cents > > /Johan > > ----- Original Message ----- > From: Chris Hanlon <[EMAIL PROTECTED]> > To: <debian-security@lists.debian.org> > Sent: Thursday, July 06, 2000 12:39 AM > Subject: [EMAIL PROTECTED]: proftp advisory] > > > > ----- Forwarded message from lamagra <[EMAIL PROTECTED]> ----- > > > > Delivered-To: [EMAIL PROTECTED] > > Approved-By: [EMAIL PROTECTED] > > Delivered-To: [EMAIL PROTECTED] > > Delivered-To: bugtraq@securityfocus.com > > X-Mailer: Spruce 0.6.2 for X11 w/smtpio 0.7.6 > > Date: Mon, 3 Jul 2000 12:40:54 CEST > > Reply-To: [EMAIL PROTECTED] > > From: lamagra <[EMAIL PROTECTED]> > > Subject: proftp advisory > > X-To: [EMAIL PROTECTED] > > To: BUGTRAQ@SECURITYFOCUS.COM > > > > ___________________________________________________ > > http://lamagra.seKure.de: advisory #1 > > > > Advisory: misc. bugs > > Programname: proftpd > > Versions: 1.2.0 <= pre10 > > Vendor: proftpd.net > > Severity: high (root shell) and low > > Contact: [EMAIL PROTECTED] > > > > Bug1: > > void set_proc_title(char *fmt,...) in src/main.c > > > > <snippet> > > memset(statbuf, 0, sizeof(statbuf)); > > vsnprintf(statbuf, sizeof(statbuf), fmt, msg); > > > > #ifdef HAVE_SETPROCTITLE > > setproctitle(statbuf); > > #endif /* HAVE_SETPROCTITLE */ > > </snippet> > > > > setproctitle, defined setproctitle(char *fmt,...);, calls vsnprintf(). > > This makes it vulnerable for formatattacks. By carefully outlining the > > attackbuffer it's possible to gain root priviledges. > > > > Fix: use setproctitle("%s",statbuf); > > > > Bug2: > > MODRET pam_auth(cmd_rec *cmd) in modules/mod_pam.c > > > > <snippet> > > /* Allocate our entries...we don't free this because PAM does this for > > us. > > */ > > pam_user = malloc(strlen(cmd->argv[0]) + 1); > > if(pam_user == (char *)0) > > return pam_return_type ? ERROR(cmd) : DECLINED(cmd); > > sstrncpy(pam_user, cmd->argv[0], strlen(cmd->argv[0]) + 1); > > > > pam_pass = malloc(strlen(cmd->argv[1]) + 1); > > if(pam_pass == (char *)0) > > return pam_return_type ? ERROR(cmd) : DECLINED(cmd); > > sstrncpy(pam_pass, cmd->argv[1], strlen(cmd->argv[1]) + 1); > > </snippet> > > > > PAM doesn't do it for you though. Which leaves a nice memoryleak. > > But since USER/PASS is limited to 3 tries and user changing isn't > > supported. > > This can't be used as a Denial of service attack against proftpd, unless > > the administartor sets a different (higher) limit. > > > > Fix: pstrdup() or just use cmd->argv[0] and cmd->argv[1]. > > > > Bug3: > > void logformat(char *nickname, char *fmts) doesn't check boundaries on > > it's > > local variable 'format'. As a result custom logformats could overflow the > > buffer. Just a really small thingie :) Could cause some problems though. > > > > Bug3: > > int dolist(cmd_rec *cmd, const char *opt, int clearflags) in > > modules/mod_ls.c > > <snippet> > > char pbuffer[MAXPATHLEN]; > > > > if(*arg == '~') { > > struct passwd *pw; > > int i; > > const char *p; > > > > i = 0; > > p = arg; > > p++; > > > > while(*p && *p != '/') > > pbuffer[i++] = *p++; > > pbuffer[i] = '\0'; > > </snippet> > > > > This function gets called by cmd_stat, with 'arg' being the argument of > > STAT. > > This looks really bad and ugly. But isn't really exploitable since the > > input > > buffer is only 1024 bytes. But it's still insecure programming. > > > > > > Copyright 2000-2001 > > lamagra.seKure.de > > > > ----- End forwarded message ----- > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >