There is a off-by-one vulnerability in several BSD-derived ftpd servers.
The ftp server in several BSD distributions contains a defect which allows one byte of the program memory allocated within a stack frame to be overwritten with a NUL byte ('\0'). The byte in question is located at the end of a buffer in the function replydirname() in ftpd.c. This buffer contains the name of a directory path to be used by some other calling function.
The first byte following this path name happens to be the lower address of the pointer to the stack frame of the function calling replydirname(). This is the address restored to the extended base pointer when replydirname() terminates. So for example, if the address of the ebp was originally 0xbfffacdc, after the overwrite occurs in replydirname() the ebp will be 0xbfffac00. In effect, Zeroing out the lower byte of the ebp causes the pointer stored in the register to shift by 0xdc (or 220 decimal) bytes.
A local or remote user can execute arbitrary code with the privileges of the daemon, typically root.
Apply vendor patches
Disable the ftp service, or ensure no writable directories are accessible in the ftp base directory.
Thanks to email@example.com for reportedly finding the problem, Kristian Vlaardingerbroek for originally reporting the problem to OpenBSD, OpenBSD for publishing an excellent security advisory about the problem, and Olaf Kirch for his lucid explanation of the nature the off-by-one, poisoned NUL byte vulnerability and how it can be identified and fixed.
This document was written by Jeffrey S Havrilla.
|Date First Published:||2000-12-21|
|Date Last Updated:||2000-12-22 17:32 UTC|