|
|
|
Vulnerability Note VU#593299
BSD-derived ftpd replydirname() in ftpd.c contains one-byte overflow
OverviewThere is a off-by-one vulnerability in several BSD-derived ftpd servers.
I. DescriptionThe ftp server in several BSD distributions contains a defect which allows one byte of the program memory allocated within a stack frame to be overwritten with a NUL byte ('\0'). The byte in question is located at the end of a buffer in the function replydirname() in ftpd.c. This buffer contains the name of a directory path to be used by some other calling function.
The first byte following this path name happens to be the lower address of the pointer to the stack frame of the function calling replydirname(). This is the address restored to the extended base pointer when replydirname() terminates. So for example, if the address of the ebp was originally 0xbfffacdc, after the overwrite occurs in replydirname() the ebp will be 0xbfffac00. In effect, Zeroing out the lower byte of the ebp causes the pointer stored in the register to shift by 0xdc (or 220 decimal) bytes.
If the new location being pointed to in memory is under the control of the attacker (as is the case here), a return address chosen by the attacker can be inserted to be used to execute malicious code elsewhere, possibly in the same buffer being used to overwrite the end of the directory name in the first place (as is the case in replydirname())
The vulnerable code in this case is in the replydirname() function in ftpd.c, as explained in OpenBSD's Security Advisory about this problem:
TECHNICAL DETAILS
The offending code is as follows:
char npath[MAXPATHLEN];
int i;
for (i = 0; *name != '\0' && i < sizeof(npath) - 1; i++, name++) {
npath[i] = *name;
if (*name == '"')
npath[++i] = '"';
}
npath[i] = '\0';
In <sys/param.h>, MAXPATHLEN is defined to be 1024 bytes. The for()
construct here correctly bounds variable `i' to be < 1023, such that when
the loop has ended, no byte past npath[1023] may be written with '\0'.
However, since `i' is also incremented in the nested statements here,
it can become as large as 1024, and npath[1024] is past the end of the
allocated buffer space.
II. ImpactA local or remote user can execute arbitrary code with the privileges of the daemon, typically root.
III. SolutionApply vendor patches
Disable the ftp service, or ensure no writable directories are accessible in the ftp base directory.
Systems Affected
| Vendor | Status | Date Updated |
|---|
| FreeBSD | Not Vulnerable | 21-Dec-2000 |
| IBM | Not Vulnerable | 22-Dec-2000 |
| NetBSD | Vulnerable | 21-Dec-2000 |
| OpenBSD | Vulnerable | 21-Dec-2000 |
References
http://www.geocrawler.com/lists/3/OpenBSD/254/75/4767480/
http://www.securityfocus.com/bid/2124
http://www.openbsd.org/errata.html#ftpd
http://www.openbsd.org/advisories/ftpd_replydirname.txt
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.8/common/005_ftpd.patch
ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-018.txt.asc
Credit
Thanks to scrippie@grafix.nl for reportedly finding the problem, Kristian Vlaardingerbroek for originally reporting the problem to OpenBSD, OpenBSD for publishing an excellent security advisory about the problem, and Olaf Kirch for his lucid explanation of the nature the off-by-one, poisoned NUL byte vulnerability and how it can be identified and fixed.
This document was written by Jeffrey S Havrilla.
Other Information
| Date Public | 12/04/2000 |
| Date First Published | 12/21/2000 12:12:29 PM |
| Date Last Updated | 12/22/2000 |
| CERT Advisory | |
| CVE Name | |
| Metric | 38.56 |
| Document Revision | 21 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
 |
