bftpd Vulnerabilities

New (3.1.3)

Impact

Malicious users exploiting these vulnerabilities are able to gain unauthorized access or disrupt service on a target system.

Note: The stoplight on this page indicates the highest possible severity level for this category of vulnerabilities. To determine the severity level of this particular vulnerability, refer to the colored dot next to the link to this tutorial on the previous page.

Background

The File Transfer Protocol (FTP) allows a client to store or retrieve files on a server. bftpd is a server which implements FTP on Unix platforms.

The Problems and Resolutions


Buffer overflow in SITE CHOWN

A remote attacker could execute arbitrary code by sending a very long argument with the SITE CHOWN command. A valid user account is required to exploit this vulnerability, but this could be the anonymous account if anonymous access is allowed. Any version of bftpd with SITE commands enabled is affected by this vulnerability. (It is only enabled by default in versions 1.0.13 and earlier.)

The fix is to set the ENABLE_SITE variable equal to no in /etc/bftpd.conf.


Format string vulnerability in LIST and NLIST

A format string vulnerability could allow an attacker to crash the server by listing a directory which contains a file with a very long filename. To exploit this vulnerability, an attacker would require access to a writable directory, either anonymously or as an authenticated user, in order to create the file with the long filename.

bftpd 1.0.12 and prior versions are affected by this vulnerability. The fix is to upgrade to the latest version.


Buffer overflow in USER

A remote attacker could crash the FTP server by sending a very long argument to the USER command. It is unlikely that this could be used to execute commands, however, because bftpd filters non-printable characters (such as shellcode) out of arguments before they are processed.

bftpd 1.0.11 and possibly prior versions are affected by this vulnerability. The fix is to upgrade to the latest version.

Where can I read more about this?

The vulnerability in SITE CHOWN was posted to Bugtraq. The vulnerability in LIST was posted to Bugtraq. The vulnerability in USER was posted to Bugtraq.

Additionally, you can read more about securing all information servers at this CIAC site.