There is a buffer overflow vulnerability in
ftpcmd.c that is caused by a buffer that is 16 bytes large being filled via
sprintf() with user input based on the format specifier string
%d.%d.%d.%d. The 16 byte size is correct for valid IPv4 addresses (
len('255.255.255.255') == 16), but the format specifier
%d allows more than 3 digits.
To reproduce this vulnerability, connect via
netcat <ip> <port> and write to the FTP server socket the following and observe the child process spawned for the connection SIGABRT:
Fixed in v2.11.
Only possible workaround is to disable the FTP service until it can be udated to v2.11.
Reported by Aaron Esau.
For more information
If you have any questions or comments about this advisory, email Joachim Nilsson
- Arinerron Aaron Esau