Vulnerability Note VU#593299

BSD-derived ftpd replydirname() in ftpd.c contains one-byte overflow

Original Release date: 21 Dec 2000 | Last revised: 22 Dec 2000

Overview

There is a off-by-one vulnerability in several BSD-derived ftpd servers.

Description

The ftp server in several BSD distributions contains a defect which allows one byte of the program memory allocated within a stack frame to be overwritten with a NUL byte ('\0'). The byte in question is located at the end of a buffer in the function replydirname() in ftpd.c. This buffer contains the name of a directory path to be used by some other calling function.

The first byte following this path name happens to be the lower address of the pointer to the stack frame of the function calling replydirname(). This is the address restored to the extended base pointer when replydirname() terminates. So for example, if the address of the ebp was originally 0xbfffacdc, after the overwrite occurs in replydirname() the ebp will be 0xbfffac00. In effect, Zeroing out the lower byte of the ebp causes the pointer stored in the register to shift by 0xdc (or 220 decimal) bytes.

If the new location being pointed to in memory is under the control of the attacker (as is the case here), a return address chosen by the attacker can be inserted to be used to execute malicious code elsewhere, possibly in the same buffer being used to overwrite the end of the directory name in the first place (as is the case in replydirname())

The vulnerable code in this case is in the replydirname() function in ftpd.c, as explained in OpenBSD's Security Advisory about this problem:

TECHNICAL DETAILS

The offending code is as follows:

char npath[MAXPATHLEN];
int i;

for (i = 0; *name != '\0' && i < sizeof(npath) - 1; i++, name++) {
npath[i] = *name;
if (*name == '"')
npath[++i] = '"';
}
npath[i] = '\0';

In <sys/param.h>, MAXPATHLEN is defined to be 1024 bytes.  The for()
construct here correctly bounds variable `i' to be < 1023, such that when
the loop has ended, no byte past npath[1023] may be written with '\0'.
However, since `i' is also incremented in the nested statements here,
it can become as large as 1024, and npath[1024] is past the end of the
allocated buffer space.

Impact

A local or remote user can execute arbitrary code with the privileges of the daemon, typically root.

Solution

Apply vendor patches

Disable the ftp service, or ensure no writable directories are accessible in the ftp base directory.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
NetBSDAffected-21 Dec 2000
OpenBSDAffected04 Dec 200021 Dec 2000
FreeBSDNot Affected-21 Dec 2000
IBMNot Affected21 Dec 200022 Dec 2000
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to scrippie@grafix.nl for reportedly finding the problem, Kristian Vlaardingerbroek for originally reporting the problem to OpenBSD, OpenBSD for publishing an excellent security advisory about the problem, and Olaf Kirch for his lucid explanation of the nature the off-by-one, poisoned NUL byte vulnerability and how it can be identified and fixed.

This document was written by Jeffrey S Havrilla.

Other Information

  • CVE IDs: Unknown
  • Date Public: 04 Dec 2000
  • Date First Published: 21 Dec 2000
  • Date Last Updated: 22 Dec 2000
  • Severity Metric: 38.56
  • Document Revision: 21

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.