Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Advisory Watch: March 27th, 2015
Linux Security Week: March 23rd, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

OpenBSD: 'ftpd' buffer overflow Print E-mail
User Rating:      How can I rate this item?
Posted by Team   
OpenBSD A relatively obscure one-byte buffer overflow bug present in ftpd(8) turnsout to be a serious problem, yielding remote users root access undercertain conditions.


                        OpenBSD Security Advisory

                            December 18, 2000

             Single-byte buffer overflow vulnerability in ftpd



A relatively obscure one-byte buffer overflow bug present in ftpd(8) turns
out to be a serious problem, yielding remote users root access under
certain conditions.  For a system to be vulnerable, ftpd must have been
explicitly enabled by the administrator (OpenBSD ships with it OFF by
default) and the attacker must have write access to at least one directory.
Therefore, anonymous read-only FTP servers are safe (we recommend applying
the patch regardless, of course).  Non-anonymous FTP administrators should
seriously consider using a more secure transport like SSH.

A fix for this problem was committed on December 4th.  OpenBSD developers
became aware of a publicly available exploit on December 17th.



This vulnerability affects OpenBSD versions through 2.8.  FreeBSD is
reportedly not vulnerable.  NetBSD is vulnerable to the same bug and a patch
was applied to their tree on December 14th.



The offending code is as follows:

        char npath[MAXPATHLEN];
        int i;

        for (i = 0; *name != '\0' && i < sizeof(npath) - 1; i++, name++) {
                npath[i] = *name;
                if (*name == '"')
                        npath[++i] = '"';
        npath[i] = '\0';

In , MAXPATHLEN is defined to be 1024 bytes.  The for()
construct here correctly bounds variable `i' to be < 1023, such that when
the loop has ended, no byte past npath[1023] may be written with '\0'.
However, since `i' is also incremented in the nested statements here,
it can become as large as 1024, and npath[1024] is past the end of the
allocated buffer space.



OpenBSD does not ship with ftpd enabled by default.  If you are using it,
disable it until you are fixed by editing /etc/inetd.conf and restarting
the inetd(8) daemon.

Then, apply the fix below to your OpenBSD 2.8 source tree. The patch is also
available at (005).



The original bug report,

Security and errata,

Olaf Kirch discusses one-byte overruns in a post to BUGTRAQ in 1998 with
subject "The poisoned NUL byte",



This vulnerability was first reported to OpenBSD Kristian Vlaardingerbroek
through the mailing list.  Kristian acknowledged in a later
post that it was Ronald (a.k.a. Scrippie) who originally found the bug.

The fix provided in the original bug report is incorrect.  Credit goes to
Jun-ichiro itojun Hagino <> for applying a safe fix to
the OpenBSD 2.8-current tree.  This patch has also been applied to the
stable branch.



Apply by doing:
        cd /usr/src
        patch -p0 < 005_ftpd.patch

And then rebuild and install ftpd:
        cd libexec/ftpd
        make obj
        make depend
        make install

Index: libexec/ftpd/ftpd.c
RCS file: /cvs/src/libexec/ftpd/ftpd.c,v
retrieving revision 1.79
diff -u -r1.79 ftpd.c
--- libexec/ftpd/ftpd.c 2000/09/15 07:13:45     1.79
+++ libexec/ftpd/ftpd.c 2000/12/05 17:06:29
@@ -1959,15 +1959,21 @@
 replydirname(name, message)
        const char *name, *message;
+       char *p, *ep;
        char npath[MAXPATHLEN];
-       int i;

-       for (i = 0; *name != '\0' && i < sizeof(npath) - 1; i++, name++) {
-               npath[i] = *name;
-               if (*name == '"')
-                       npath[++i] = '"';
+       p = npath;
+       ep = &npath[sizeof(npath) - 1];
+       while (*name) {
+               if (*name == '"' && ep - p >= 2) {
+                       *p++ = *name++;
+                       *p++ = '"';
+               } else if (ep - p >= 1)
+                       *p++ = *name++;
+               else
+                       break;
-       npath[i] = '\0';
+       *p = '\0';
        reply(257, "\"%s\" %s", npath, message);

< Prev   Next >


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.