smbftpd 0.96 format string vulnerability

       smbftpd 0.96 format string vulnerability         

           maybe earlier versions as well

Date: 01 Oct 2007

Author: Jerry Illikainen

           email:  jerry@debork.se
           www:    debork.se

Introduction

"SmbFTPD is a FTP daemon for FreeBSD, Linux, and other UNIX like operating system. It has flexible directory access control facility that could be combined with Samba's share access right."

Vulnerability

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A format string vulnerability exist in the SMBDirList-function, dirlist.c, which gets called when a LIST/NLST is issued. It could be triggered by the way it outputs recursive listing on directories. It's caused due to misuse of fprintf.

In order for this vulnerability to be exploited, an attacker would need a valid account (including anonymous) with permission to create directories. Successful exploitation may allow an attacker to execute arbitrary code.

Proof of concept

http://debork.se/poc/001_smbftpd.c

Fix
---

Update to version 0.97

---

Jerry Illikainen Received on Mon Oct 1 14:53:44 2007