| VID |
16047 |
| Severity |
40 |
| Port |
21 |
| Protocol |
TCP |
| Class |
FTP |
| Detailed Description |
The BFTPD daemon has a format string vulnerability in NLST command.
Max-Wilhelm Bruker's FTP server, BFTPD is an FTP server for Linux, BSD/OS, FreeBSD, DG-UN and Tru64, which runs either with inetd or standalone. This version of BFTPD has several bugs in the functions "sendstrf" and "dirlist" in the "distlir.c" file. This format string vulnerability arises when the "sendstrf" function is called from an NLST command, requested to list a file that contains a format string %p%p%p%p. It's incorrectly allowed to supply formatting string to the vsprintf and can overflow the buffer of the vsprintf. When the file "%p%p%p%p" exists and issues the NLST command, it's returned the following result.
#ls
%p%p%p%p
ftp>nlist
200 PORT ... OK
150 Data connection established.
....0xbffdde140x499e8100x424000bb.......
226 Directory list has been submitted
ftp>
If a remote attacker has the writable access to any directory served by FTP server, it's possible for them to gain root access and execute arbitrary code by using this vulnerability.
* Platforms Affected:
BSD Any version
DG/UX Any version
FreeBSD Any version
Linux Any version
Solaris Any version
Tru64 UNIX Any version
bftpd 1.0.12
* References:
http://www.securiteam.com/unixfocus/6N00E0A0KW.html |
| Recommendation |
Upgrade to the BFTPD 1.0.13 or the latest version, available from BFTPD web site, http://www.bftpd.org
Now the latest version, BFTPD 1.0.23 is released on the Dec. 14, 2002.
As the workaround, modify the line 62 in bftpd-1.0.11/dirlist.c and re-compile and install as the following:
sendstrf(s, entry->d_name); => sendstrf(s, "%s", entry->d_name); |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
