[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] DoS in PureFTPd

To: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] DoS in PureFTPd
From: Jedi/Sector One <j@pureftpd.org>
Date: Mon, 10 Nov 2003 18:21:42 +0059

On Mon, Nov 10, 2003 at 04:35:06PM +0100, Adam Zabrocki wrote:
>     Vulnerability function is displayrate(). There is simple
> overflow bug (DoS):

  Killing one's own session is not a DoS.

          const size_t sizeof_resolved_path = MAXPATHLEN + 1U;  
          resolved_path[sizeof_resolved_path - 1U] = 0; 
>         if (realpath(name, resolved_path) == NULL) {
> ...
>         if (resolved_path[sizeof_resolved_path - 1U] != 0) {

  This realpath() doesn't fill more than MAXPATHLEN, including the zero, we
even have an extra byte here. The code you are talking about is not supposed
to be ever reached.

> Function realpath() is write by autor PureFTP.

  No.

/*
 * Copyright (c) 1994
 *      The Regents of the University of California.  All rights reserved.
 *
 * This code is derived from software contributed to Berkeley by
 * Jan-Simon Pendry.
 *

  Zok.

-- 
 __  /*-      Frank DENIS (Jedi/Sector One) <j@42-Networks.Com>     -*\  __
 \ '/    <a href="http://www.PureFTPd.Org/";> Secure FTP Server </a>    \' /
  \/  <a href="http://www.Jedi.Claranet.Fr/";> Misc. free software </a>  \/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] DoS in PureFTPd
  - From: "Adam Zabrocki" <pi3ki31ny@wp.pl>

Prev by Date: Re: [Full-Disclosure] Sniffing ICQ traffic
Next by Date: RE: [Full-Disclosure] Feeding Stray Cats
Previous by thread: [Full-Disclosure] DoS in PureFTPd
Next by thread: Re: [Full-Disclosure] DoS in PureFTPd
Index(es):
- Date
- Thread