Related information

realpath() BSD and wu-ftpd / BSD FTP / SSH buffer overflow

NetBSD Security Advisory 2003-011: off-by-one error in realpath(3)

FreeBSD Security Advisory FreeBSD-SA-03:08. realpath

wu-ftpd fb_realpath() off-by-one bug

From:	kingcope_(at)_gmx.net <kingcope_(at)_gmx.net>
Date:	19.05.2007
Subject:	[Full-disclosure] ssh.com ssh-3.2.9.1 sftp server remote off by one

ssh.com ssh-3.2.9.1 sftp server remote off by one

***ATTENTION***This has not been tested under reallife conditions***

ssh-3.2.9.1 which is available from http://ftp.ssh.com/pub/ssh/
contains the same old rootd off by one bug as described bei isec.pl here:
http://www.isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt

The file ssh-3.2.9.1/lib/sshfilexfer/sshunixrealpath.c reads

/*
* char *ssh_realpath(const char *path, char resolved_path[MAXPATHLEN]);
*
* Find the real name of path, by removing all ".", ".." and symlink
* components.  Returns (resolved) on success, or (NULL) on failure,
* in which case the path which caused trouble is left in (resolved).
*
*/
char *ssh_realpath(const char *path, char *resolved)
{
 struct stat sb;
 int n, rootd, serrno;
...
...
...
...
...
/*
  * Join the two strings together, ensuring that the right thing
  * happens if the last component is empty, or the dirname is root.
  */
 if (resolved[0] == '/' && resolved[1] == '\0')
   rootd = 1;
 else
   rootd = 0;

 if (*wbuf)
   {
     if (strlen(resolved) + strlen(wbuf) + rootd + 1 > MAXPATHLEN) //
<----- !rootd
       {
         errno = ENAMETOOLONG;
         goto err1;
       }
     if (rootd == 0)
       (void)strcat(resolved, "/"); /* XXX: strcat is safe */
     (void)strcat(resolved, wbuf);     /* XXX: strcat is safe */
   }
...
...
...
...
...

ssh_realpath is called when theres an incoming SSH_FXP_REALPATH packet.
from sshfilexfers.c :

---snip---
case SSH_FXP_REALPATH:
     LOG(0, SSH_LOG_INFORMATIONAL, ("Received SSH_FXP_REALPATH"));

     /* Parse the REALPATH message. */
     if (ssh_decode_array(data, len,
                          SSH_FORMAT_UINT32, &id,
                          SSH_FORMAT_UINT32_STR, &name, NULL,
                          SSH_FORMAT_END) != len || len == 0)
       {
         ssh_warning("ssh_file_server_receive_proc: bad REALPATH");
         goto return_bad_status;
       }

     LOG(0, SSH_LOG_INFORMATIONAL, ("Resolving path to `%s'", name));

     if (ssh_realpath(name, resolved) == NULL)
       {
---snip---

old pure-ftpd and openssh versions contain the same code but thats
out of scope, just to mention ssh.com's opensource ssh because
it's unpatched and CURRENT.


big
thanxx to thierry alex sead blackzero wY! andi! rembrandt and revoguard

Signed,
Kingcope kingcope[at]gmx.net

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/