Hi, because the IPv6 enabled ftpd at http://www.eleves.ens.fr:8080/home/madore/programs/#prog_ftpd-BSD contains the same bug: >[root@gate ftpd]# pwd >/usr/local/src/ftpd-BSD/ftpd-BSD-0.3.2/ftpd >[root@gate ftpd]# grep npath * >ftpd.c: char npath[MAXPATHLEN]; >ftpd.c: for (i = 0; *name != '\0' && i < sizeof(npath) - 1; i++, name++) { >ftpd.c: npath[i] = *name; >ftpd.c: npath[++i] = '"'; >ftpd.c: npath[i] = '\0'; >ftpd.c: reply(257, "\"%s\" %s", npath, message); Not newbies can apply a patch: ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.8/common/005_ftpd.patch Others should disable the ftp daemon and wait for an updated package. Peter Here the original advisory: >Delivered-To: [EMAIL PROTECTED] >From: [EMAIL PROTECTED] >Date: Wed, 20 Dec 2000 14:41:17 +0100 (MET) >To: [EMAIL PROTECTED] >Subject: [OpenBSD] Buffer Overflow in ftpd > >-----BEGIN PGP SIGNED MESSAGE----- > >Liebe Kolleginnen und Kollegen, > >soeben erreichte uns nachfolgende Warnung des OpenBSD Teams ueber >Sicherheitsprobleme bei ftpd. Wir geben diese Informationen unver- >aendert an Sie weiter. > >Beschrieben wird eine Schwachstelle im FTP Daemon (ftpd) (genauer: Ein >Buffer Overflow in der Funktion replydirname()) durch die ein Angreif- >er ueber das Netz Root-Rechte auf dem angegriffenen System erhalten >kann. > >Betroffen von dieser Schwachstelle sind alle OpenBSD Versionen bis >einschliesslich Version 2.8. OpenBSD stellt einen Patch zur Behebung >der Schwachstelle bereit. > >Wie ueblich, ist das Advisory von OpenBSD nicht digital signiert. > >Mit freundlichen Gruessen, > Klaus Moeller, DFN-CERT > >PS: In das Advisory hat sich ein kleiner Fehler eingeschlichen. Im > Abschnitt "TECHNICAL DETAILS" muss es natuerlich "bounds variable > `i' to be <= 1023" heissen und nicht "to be < 1023". > >- -- >Klaus Moeller | mailto:[EMAIL PROTECTED] >DFN-CERT GmbH | http://www.cert.dfn.de/team/moeller/ >Vogt-Koelln-Str. 30 | Phone: +49(40)42883-2262 >D-22527 Hamburg | FAX: +49(40)42883-2241 >Germany | PGP-Key: finger [EMAIL PROTECTED] > >- ---------------------------------------------------------------------------- > > OpenBSD Security Advisory > > December 18, 2000 > > Single-byte buffer overflow vulnerability in ftpd > >- ---------------------------------------------------------------------------- > >SYNOPSIS > >A relatively obscure one-byte buffer overflow bug present in ftpd(8) turns >out to be a serious problem, yielding remote users root access under >certain conditions. For a system to be vulnerable, ftpd must have been >explicitly enabled by the administrator (OpenBSD ships with it OFF by >default) and the attacker must have write access to at least one directory. >Therefore, anonymous read-only FTP servers are safe (we recommend applying >the patch regardless, of course). Non-anonymous FTP administrators should >seriously consider using a more secure transport like SSH. > >A fix for this problem was committed on December 4th. OpenBSD developers >became aware of a publicly available exploit on December 17th. > >- ---------------------------------------------------------------------------- > >AFFECTED SYSTEMS > >This vulnerability affects OpenBSD versions through 2.8. FreeBSD is >reportedly not vulnerable. NetBSD is vulnerable to the same bug and a patch >was applied to their tree on December 14th. > >- ---------------------------------------------------------------------------- > >TECHNICAL DETAILS > >The offending code is as follows: > > char npath[MAXPATHLEN]; > int i; > > for (i = 0; *name != '\0' && i < sizeof(npath) - 1; i++, name++) { > npath[i] = *name; > if (*name == '"') > npath[++i] = '"'; > } > npath[i] = '\0'; > >In <sys/param.h>, MAXPATHLEN is defined to be 1024 bytes. The for() >construct here correctly bounds variable `i' to be < 1023, such that when >the loop has ended, no byte past npath[1023] may be written with '\0'. >However, since `i' is also incremented in the nested statements here, >it can become as large as 1024, and npath[1024] is past the end of the >allocated buffer space. > >- ---------------------------------------------------------------------------- > >RESOLUTION > >OpenBSD does not ship with ftpd enabled by default. If you are using it, >disable it until you are fixed by editing /etc/inetd.conf and restarting >the inetd(8) daemon. > >Then, apply the fix below to your OpenBSD 2.8 source tree. The patch is also >available at http://www.openbsd.org/errata.html (005). > >- ---------------------------------------------------------------------------- > >REFERENCES > >The original bug report, > > http://www.geocrawler.com/lists/3/OpenBSD/254/75/4767480/ > >Security and errata, > > http://www.openbsd.org/security.html > http://www.openbsd.org/errata.html > >Olaf Kirch discusses one-byte overruns in a post to BUGTRAQ in 1998 with >subject "The poisoned NUL byte", > > http://www.securityfocus.com/archive/1/10884 > >- ---------------------------------------------------------------------------- > >CREDITS > >This vulnerability was first reported to OpenBSD Kristian Vlaardingerbroek >through the [EMAIL PROTECTED] mailing list. Kristian acknowledged in a later >post that it was Ronald (a.k.a. Scrippie) who originally found the bug. > >The fix provided in the original bug report is incorrect. Credit goes to >Jun-ichiro itojun Hagino <[EMAIL PROTECTED]> for applying a safe fix to >the OpenBSD 2.8-current tree. This patch has also been applied to the >stable branch. > >- ---------------------------------------------------------------------------- > >OPENBSD 2.8 PATCH > >Apply by doing: > cd /usr/src > patch -p0 < 005_ftpd.patch > >And then rebuild and install ftpd: > cd libexec/ftpd > make obj > make depend > make > make install > >Index: libexec/ftpd/ftpd.c >=================================================================== >RCS file: /cvs/src/libexec/ftpd/ftpd.c,v >retrieving revision 1.79 >diff -u -r1.79 ftpd.c >- --- libexec/ftpd/ftpd.c 2000/09/15 07:13:45 1.79 >+++ libexec/ftpd/ftpd.c 2000/12/05 17:06:29 >@@ -1959,15 +1959,21 @@ > replydirname(name, message) > const char *name, *message; > { >+ char *p, *ep; > char npath[MAXPATHLEN]; >- - int i; > >- - for (i = 0; *name != '\0' && i < sizeof(npath) - 1; i++, name++) { >- - npath[i] = *name; >- - if (*name == '"') >- - npath[++i] = '"'; >+ p = npath; >+ ep = &npath[sizeof(npath) - 1]; >+ while (*name) { >+ if (*name == '"' && ep - p >= 2) { >+ *p++ = *name++; >+ *p++ = '"'; >+ } else if (ep - p >= 1) >+ *p++ = *name++; >+ else >+ break; > } >- - npath[i] = '\0'; >+ *p = '\0'; > reply(257, "\"%s\" %s", npath, message); > } > > >-----BEGIN PGP SIGNATURE----- >Version: 2.6.2i >Comment: Processed by Mailcrypt 3.5.5, an Emacs/PGP interface > >iQEVAwUBOkC29YrEggYLt8j5AQE91Af/WvYOBRUIEJ3jVQm6lV/xrFp/dj5b1Ff/ >Mr4wC343ccLtimYhQXOLB0CBMeh2umHTOF0S0FSPtE13j5wcYoHfiACJeWGrRals >AU2VEikQczVNkdlLnJe+CONtBBIecy56neyKtR6x7iNEL1PjwVFaUFy/gOfTeMb7 >3kmU6R+ocTwbVYnWZWpcW4OIGZUJpYKoOz9Z4nNpfse1U98TklN7kwYLzAKi+YZx >xvcu+QH28zVbSpgRzS6mhV+rWuXIIr6b3HqFO0qvWIjB0MggsO/lygf6nckbv+LK >jdO3pXc2EeuTjeHfwsE6YuJSWN1SNJpE7OHQjxZlBJsKhh2Yda6DAw== >=Em3r >-----END PGP SIGNATURE-----
