xorl %eax, %eax

FTPDMIN RNFR Remote Buffer Overflow

leave a comment »

FTPDMIN is a minimal FTP server for windows written by Matthias Wandel. The bug discussed here was found and exploited by rgod. He states that he had this bug on 2006 but he publicly disclosed it on 11 April 2009. Here is the vulnerable code from ftpdmin.c:

104 // FTP Command tokens
105 typedef enum {
    ...
111     STOR, REST, RNFR, RNTO,
    ...
114 }CmdTypes;
    ...
454 //------------------------------------------------------------------------------------
455 // Main loop - handle the FTP commands that are implemented.
456 //------------------------------------------------------------------------------------
457 static void ProcessCommands(Inst_t * Conn)
458 {
459     // Data buffer for reading FTP command codes
460     char buf[MAX_PATH+10];
461     char repbuf[MAX_PATH+10];
462     char * NewPath;
    ...
488     for(;;){
    ...
492         FtpCommand = GetCommand(Conn, buf);
493
494         switch(FtpCommand){
    ...
591             case RNFR:
592                 NewPath = TranslatePath(buf);
593                 if (NewPath){
594                     strcpy(repbuf, NewPath);
595                     SendReply(Conn, "350 File Exists");
    ...
704 }


Well yeah… an strcpy() overflow on RNFR (ReName FRom) command case. Anyway, Matthias Wandel hasn’t released a patched version yet. But its not important in my opinion. This is just a pet project… If you use this FTP server just replace the above strcpy() with:

strncpy(repbuf, NewPath, sizeof (repbuf)-1);
repbuf[sizeof(repbuf)-1] = 0;

:-P

Written by xorl

April 13, 2009 at 13:50

Posted in bugs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s