Impact
There is a buffer overflow vulnerability in handle_PORT in ftpcmd.c that is caused by a buffer that is 16 bytes large being filled via sprintf() with user input based on the format specifier string %d.%d.%d.%d. The 16 byte size is correct for valid IPv4 addresses (len('255.255.255.255') == 16), but the format specifier %d allows more than 3 digits.
To reproduce this vulnerability, connect via netcat <ip> <port> and write to the FTP server socket the following and observe the child process spawned for the connection SIGABRT:
PORT 13371337,12341234,12345678,10102929,1,2
Patches
Fixed in v2.11.
Workarounds
Only possible workaround is to disable the FTP service until it can be udated to v2.11.
References
Reported by Aaron Esau.
For more information
If you have any questions or comments about this advisory, email Joachim Nilsson
Arinerron Analyst
Impact
There is a buffer overflow vulnerability in
handle_PORTinftpcmd.cthat is caused by a buffer that is 16 bytes large being filled viasprintf()with user input based on the format specifier string%d.%d.%d.%d. The 16 byte size is correct for valid IPv4 addresses (len('255.255.255.255') == 16), but the format specifier%dallows more than 3 digits.To reproduce this vulnerability, connect via
netcat <ip> <port>and write to the FTP server socket the following and observe the child process spawned for the connection SIGABRT:Patches
Fixed in v2.11.
Workarounds
Only possible workaround is to disable the FTP service until it can be udated to v2.11.
References
Reported by Aaron Esau.
For more information
If you have any questions or comments about this advisory, email Joachim Nilsson