exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

gnutftp.txt

gnutftp.txt
Posted Oct 27, 2004
Authored by infamous41md

The GNU tftp client in the inetutils-1.4.2 is susceptible to buffer overflow attacks. Due to untrusted data from DNS resolved hostname being copied into finite static buffers without any bounds checking, several buffers can be overflowed in the .bss. Arbitrary code execution is possible.

tags | advisory, overflow, arbitrary, code execution
SHA-256 | 5eb3d155894c1cfde68846c89bedeb4204bb3d8d2f781339cec732d062d962a0

gnutftp.txt

Change Mirror Download
Subject:

GNU tftp client remote buffer overflows.

++++++++++++++++++++++++++++++++++++++++++++

Product:

The tftp client that comes with the inetutils package. It's found on all unices
I know of.

++++++++++++++++++++++++++++++++++++++++++++

Vulnerable:

inetutils-1.4.2 was the only version audited.

++++++++++++++++++++++++++++++++++++++++++++

Summary:

Untrusted data from DNS resolved hostname is copied into finite static buffers
without any bounds checking. We can overflow several buffers located in the
.bss. Also located in the .bss are function pointers used to implement ftp
commands, so exploitation with code execution is possible.

++++++++++++++++++++++++++++++++++++++++++++

Details:

The overflows all occur thanks to gethostbyname() returned data. Instead of
copying that data using the length of the destination buffer, the length of the
source buffer is used instead, or no length at all in the case of strcpy(). An
attacker could configure their DNS server maliciously, or a local attacker on a
LAN could spoof replies to neighbors to exploit this.


main.c:227: bcopy(host->h_addr, &peeraddr.sin_addr, host->h_length);
main.c:228: strcpy(hostname, host->h_name);
main.c:366: bcopy(hp->h_addr, (caddr_t)&peeraddr.sin_addr, hp->h_length);
main.c:369: strcpy(hostname, hp->h_name);
main.c-457: bcopy(hp->h_addr, (caddr_t)&peeraddr.sin_addr, hp->h_length);
main.c:461: strcpy(hostname, hp->h_name);

++++++++++++++++++++++++++++++++++++++++++++

Vendor:

Was notified weeks ago, and has corrected the problem in new version.


--
-sean

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close