Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] hpaftpd Multiple Buffer Overflows

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] hpaftpd Multiple Buffer Overflows
Date: 26 Mar 2007 13:41:19 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  hpaftpd Multiple Buffer Overflows
------------------------------------------------------------------------


SUMMARY

 <http://hpaftpd.sourceforge.net/> hpaftpd is "a high performance 
anonymous FTP server (RFC 0959). It is designed to run without forks or 
threads and with low memory usage, so it's suitable for heavy network 
traffic with very many connections". beSTORM found multiple buffer 
overflows in hpaftpd, these vulnerabilities are caused by improper usage 
of the insecure sprintf function.

DETAILS

Vulnerable Systems:
 * hpaftpd version 1.01

The hpaftpd reads receives user provided data using the following code:
n = nb_get(nbc, buf, BUF_SIZE - 1);

While BUF_SIZE is defined as:
#define BUF_SIZE    8192

The same BUF_SIZE is used whenever hpaftpd wants to write something to the 
log/user, here is one example which is returned once the user has provided 
a username:
sprintf(obuf, "331 Password required for %s\r\n", ftpc->user);

As you can see, even though ftpc->user is limited to 8192, the obuf is 
also limited to 8192:
char buf[BUF_SIZE], obuf[BUF_SIZE]; /* Input buffer, output buffer */

Allowing us to supply numerous commands and arguments which in turn will 
overflow the obuf buffer.

The following commands can be used to overflow the obuf buffer:
 * USER
 * PASS (with a combination of a USER command)
 * CWD
 * MKD
 * RMD
 * DELE
 * RNFR
 * RNTO (with a vald RNFR combination)

Site note:
There appears to be a past attempt to prevent buffer overflows found in 
the path related functions, as they use snprintf instead of sprintf.


ADDITIONAL INFORMATION

This vulnerability has been found by  
<http://www.beyondsecurity.com/beSTORM> beSTORM. Visit our web site to 
download a free 30 day evaluation of beSTORM.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] hpaftpd Multiple Buffer Overflows, SecuriTeam <=
Previous by Date:  [EXPL] WarFTP Stack Based Buffer Overflow (Username), SecuriTeam
Next by Date:  [EXPL] Microsoft Internet Explorer Recordset Double Free Memory (MS07-009, Exploit), SecuriTeam
Previous by Thread:  [EXPL] WarFTP Stack Based Buffer Overflow (Username), SecuriTeam
Next by Thread:  [EXPL] Microsoft Internet Explorer Recordset Double Free Memory (MS07-009, Exploit), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]