[Dailydave] ProFTPD, Helix Server bugs
Evgeny Legerov
admin at gleg.net
Thu Nov 23 07:30:10 EST 2006
Hi,
If you think that I never report my bugs to vendors - I do that, sometimes.
Here are a few examples (probably it is worth to release a couple of
advisories):
https://lists.helixcommunity.org/pipermail/server-cvs/2006-June/003176.html
https://helixcommunity.org/plugins/scmcvs/cvsweb.kliu.php/server/protocol/rtsp/rtspserv.cpp?cvsroot=%2F
(search for "GLEG")
This one was published somewhere, I reported it to proftpd team as weell.
proftpd/contrib/mod_tls.c:
"""
...
if ((ok = X509_NAME_print_ex(mem, x509_name, 0, XN_FLAG_ONELINE)))
datalen = BIO_get_mem_data(mem, &data); ### we can control datalen
if (data) {
memset(&buf, '\0', sizeof(buf));
memcpy(buf, data, datalen); ### plain buffer overflow here
...
}
"""
Note: I failed to exploit this particular ProFTPD bug.
--
Thanks,
-Evgeny
More information about the Dailydave
mailing list