| VID |
16050 |
| Severity |
40 |
| Port |
21 |
| Protocol |
TCP |
| Class |
FTP |
| Detailed Description |
The BFTPD daemon is vulnerable to a denial of service attack via a long USER command.
The version 1.0.11 of BFTPD has a bug in command_user() function in bftpd-1.0.11/commands.c file. This bug is that the non-checking boundary of buffer in command_user() function, causes a buffer overflow. This buffer overflow vulnerability arises when issuing more 35 characters in USER command as the following :
USER AAAA...['A'*35]...AAAAA
It can result in a segmentation fault and crash the BFTPD daemon. Because the BFTPD daemon filters non-printable characters (such as shellcode) for preventing an elevation of privileges, it's unlikely that this could be used to execute commands. However, it's possible for a remote attacker to crash their own session by sending invalid input.
* Platforms Affected :
BFTPD 1.0.11 version
* References:
http://online.securityfocus.com/bid/1858
http://www.iss.net/security_center/static/5426.php |
| Recommendation |
Upgrade to BFTPD 1.0.12 or the latest version, available from Max-Wilhelm Bruker bftpd web site, http://www.bftpd.org
Now the latest, the BFTPD 1.0.23 version is released on the Dec. 14, 2002.
As a workaround, modify line 109 in bftpd-1.0.11/commands.c and re-compile and install.
alias = (char *) config_getoption(strcat(name, username));
=> alias = (char *) config_getoption(strncat(name, username, USERLEN)); |
| Related URL |
CVE-2000-0943 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
