The gproftpd source code is badly written. Lots of sprintf, strcat (versus snprintf and strncat), allowing stack and heap overflows. The package should be masked. I have notified the author of problems. I haven't patched it as it'd be a big patch and I don't use the software. I haven't attempted to exploit any of the overflows but it should be possible. Marked critical as it should be trivial to exploit. Reproducible: Always Steps to Reproduce:
Could you provide an example of where user/network input is taken and can be abused. I often see programs which do not use snprintf()/strncat() but do so in a semi safe way (kernel)
Here's a nice (and not too revealing) example from callbacks.c: sprintf(user_pass, "usermod -p '%s' %s", encrypted_pass, username); Try changing a user's password in gproftpd while grep'ing for usermod processes. You will catch something like this: 8715 pts/8 D+ 0:00 usermod -p $1$is54ShF3$4RUrFy9d8D8I0VCBlo5c91 test_user This package should be blocked.
Try typing lots of stuff in the DNS server text entry box and hitting add server, overflow in xfer_update.
oh this is nice the package is maintained by bug-wranglers@gentoo.org 2 votes for masking now.
/me votes for masking it
I lied, the overflow isn't related to the text field at all. bzero(&(myaddr.sin_zero), sizeof(myaddr)); in xfer_update, callbacks.c. It overflows itself, doesn't need user help :P
Having looked post-coffee this morning I think I over-reacted here. The code is indeed crap, but I can't see anything exploitable, even if it does have stupid self-inflicted overflow in it. There is an information leak as noted by Andreas. Maybe if someone with more knowledge than me could review the code?
The code popens "ftpwho" in callbacks.c if something (anything) is listening on the port which is metioned in proftpd.conf. An evil ftpwho in my path: --- "exploit" --- rob@leet ~ $ cat bin/ftpwho #!/usr/bin/perl print 'v' x 68000; --- end --- This causes a segfault. I assume this is exploitable, can someone who knows better than me check please?
its possible to overflow tempname in callbacks.c:user_exists by having a passwd line longer than 4096. Quite how you'd manage to get that I don't know... chfn limits you to a total of 80 chars for the gecos field.
If the proftpd daemon is running without a MaxInstance limit (not default), spawn about ~500 simultaneous connections (no authentication required) and gproftpd will overflow in a strcat() call.
A new version has been released which fixes the ftpwho overflow. I'll let Magnus know about the passwd/ps listing bugs.
There's an remotely exploitable format string vulnerability in the gprostats log parser, users can trigger it by putting or fetching a specally crafted filename: the vulnerable statements: 314: snprintf(datestamp, x+1, old_buffer); obvious fix, add "%s" as arg3. demo: $ lftp taviso@localhost Password: lftp taviso@localhost:~> put /dev/null -o foo%.500nbar lftp taviso@localhost:~> exit which generates the xferlog line: Tue Feb 15 16:43:07 2005 0 localhost 0 /home/taviso/foo%.500nbar b _ i r taviso ftp 1 * c running gprostats: $ gdb /usr/sbin/gprostats GNU gdb 6.0 Copyright 2003 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i686-pc-linux-gnu"...Using host libthread_db library "/lib/libthread_db.so.1". (gdb) r -c /etc/proftpd/proftpd.conf -x /var/log/xferlog Starting program: /usr/sbin/gprostats -c /etc/proftpd/proftpd.conf -x /var/log/xferlog Using conf: /etc/proftpd/proftpd.conf Using xferlog: /var/log/xferlog Program received signal SIGSEGV, Segmentation fault. 0x4008d26a in vfprintf () from /lib/libc.so.6 Changing component to vulnerability.
New version 8.1.9 released by Magnus which fixes the remote overflow via the log file. There are still a few local format-string overflows when reading from the config file: rob@leet /tmp/gproftpd-8.1.9 $ cat /tmp/conf ServerName foo%.1000nblehbleh rob@leet /tmp/gproftpd-8.1.9 $ gdb ./src/gprostats GNU gdb 6.2.1 Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i686-pc-linux-gnu"...Using host libthread_db library "/lib/libthread_db.so.1". (gdb) r -c /tmp/conf Starting program: /tmp/gproftpd-8.1.9/src/gprostats -c /tmp/conf Using conf: /tmp/conf Program received signal SIGSEGV, Segmentation fault. 0xb7ed1622 in _IO_vfprintf (s=0xbffe89a0, format=0x80521cb "foo%.1000nblehbleh", ap=0xbffe8ad0 "") at vfprintf.c:1534 1534 vfprintf.c: No such file or directory. in vfprintf.c (gdb) backtrace #0 0xb7ed1622 in _IO_vfprintf (s=0xbffe89a0, format=0x80521cb "foo%.1000nblehbleh", ap=0xbffe8ad0 "") at vfprintf.c:1534 #1 0xb7eef02d in _IO_vsnprintf (string=0xbfff1440 "foo", maxlen=83, format=0x0, args=0xbffe8acc "") at vsnprintf.c:120 #2 0xb7ed6b62 in __snprintf (s=0x0, maxlen=0, format=0x0) at snprintf.c:35 #3 0x080494ae in main (argc=3, argv=0xbffff4e4) at gprostats.c:196 (gdb)
net-ftp/gproftpd-8.1.9 has been added to portage.
sparc: please test and mark stable.
sparc stable.
Thx Rob and Tavis. GLSA 200502-26
