[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Malformed vsprintf in httpd

Title: Malformed vsprintf in httpd
Released by: asynchro
Date: 6th December 2000
Printable version: Click here 
There is a malformed vsprintf in bftpd 1.0.12 in function sendstrf:



int sendstrf(int s, char *format, ...) {

 ....

  vsprintf(buffer, format, val);



when the function is called from NLIST command:



  else

      foo = 1;

      sendstrf(s, entry->d_name);

    }



This can be used to overflow the buffer of the vsprintf and execute

arbitrary code. I don't think it can be normally used for a remote attack

because bftpd removes all non-printable characters from input strings and

so it is not possible to remotely put a shellcode in a filename.

A dimostrative code is attached.





asynchro@pkcrew.org

www.pkcrew.org






(C) 1999-2000 All rights reserved.