FTPDMIN RNFR Remote Buffer Overflow
FTPDMIN is a minimal FTP server for windows written by Matthias Wandel. The bug discussed here was found and exploited by rgod. He states that he had this bug on 2006 but he publicly disclosed it on 11 April 2009. Here is the vulnerable code from ftpdmin.c:
104 // FTP Command tokens 105 typedef enum { ... 111 STOR, REST, RNFR, RNTO, ... 114 }CmdTypes; ... 454 //------------------------------------------------------------------------------------ 455 // Main loop - handle the FTP commands that are implemented. 456 //------------------------------------------------------------------------------------ 457 static void ProcessCommands(Inst_t * Conn) 458 { 459 // Data buffer for reading FTP command codes 460 char buf[MAX_PATH+10]; 461 char repbuf[MAX_PATH+10]; 462 char * NewPath; ... 488 for(;;){ ... 492 FtpCommand = GetCommand(Conn, buf); 493 494 switch(FtpCommand){ ... 591 case RNFR: 592 NewPath = TranslatePath(buf); 593 if (NewPath){ 594 strcpy(repbuf, NewPath); 595 SendReply(Conn, "350 File Exists"); ... 704 }
Well yeah… an strcpy() overflow on RNFR (ReName FRom) command case. Anyway, Matthias Wandel hasn’t released a patched version yet. But its not important in my opinion. This is just a pet project… If you use this FTP server just replace the above strcpy() with:
strncpy(repbuf, NewPath, sizeof (repbuf)-1);
repbuf[sizeof(repbuf)-1] = 0;
:-P
Leave a Reply