Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 273771 Details for
Bug 405841
CVE-2007-5769 ftp: netkit ftp - use of uninitialized variable
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
Original advisory text
AD_LAB-07009.txt (text/plain), 3.58 KB, created by
Tomas Hoger
on 2007-11-30 13:21:29 UTC
(
hide
)
Description:
Original advisory text
Filename:
MIME Type:
Creator:
Tomas Hoger
Created:
2007-11-30 13:21:29 UTC
Size:
3.58 KB
patch
obsolete
>netkit-ftpd/ftp uninitialized vulnerability > >[Security Advisory] > >Advisory: [AD_LAB-07009] netkit-ftpd/ftp uninitialized vulnerability > >Class: Design Error > >DATE:11/1/2007 > >CVEID:CVE-2007-5769 > >Vulnerable: > netkit-ftpd-0.17/netkit-ftp-0.17 >Vendor: > > > >I.Synopsis > >A vulnerability has been discovered in netkit-ftpd/ftp. > >II.DETAILS: > >---------- > >Background > >netkit-ftpd is the Linux Netkit FTP server with optional SSL support. >netkit-ftp is the client for the ftp protocol. > >Description > >There is a uninitialized vulnerability in function dataconn() in ftpd.c. > > static FILE * dataconn(const char *name, off_t size, const char *mode) > { > char sizebuf[32]; > FILE *file; <-uninit variable. > > ... > if (SSL_accept(ssl_data_con)<=0) { >1459 static char errbuf[1024]; >1460 >1461 snprintf(errbuf, sizeof(errbuf), "ftpd: SSL_accept DATA error %s\n", >1462 ERR_error_string(ERR_get_error(),NULL)); >1463 perror_reply(425, errbuf); >1464 /* abort time methinks ... */ >1465 fclose(file); <-- close an uninit value. >1466 return NULL; > > >Program received signal SIGSEGV, Segmentation fault. >0x6fca33fd in fclose () from /lib/libc.so.6 >(gdb) bt >#0 0x6fca33fd in fclose () from /lib/libc.so.6 >#1 0x0804c601 in dataconn (name=0x77add110 "/bin/ls", size=<value optimized out>, mode=0x8053f4f "w") at ftpd.c:1465 >#2 0x0804d3f8 in retrieve (cmd=0x80550c7 "/bin/ls -lgA", name=0x77add110 "/bin/ls") at ftpd.c:1197 >#3 0x0805193a in yyparse () at ftpcmd.y:378) at ftpd.c:685 > >in order to trigger this bug, the client should use the passive mode to >transfer data. and the SSL_accept should failed at line ftpd.c:1458. the >client broke the connection will cause the SSL_accept failed. > >same problem occur in netkit-ftp's getreply() too. >467 int >468 getreply(int expecteof) >469 { >........ >520 (void) signal(SIGINT,oldintr); >521 code = 221; >522 return (0); >523 } >524 lostpeer(0); >525 fclose(cout); > >Program received signal SIGSEGV, Segmentation fault. >0x6fcb73fd in fclose () from /lib/libc.so.6 >(gdb) bt >#0 0x6fcb73fd in fclose () from /lib/libc.so.6 >#1 0x0804fb9c in getreply (expecteof=0) at ftp.c:525 >#2 0x0804fe49 in abort_remote (din=0x8099a20) at ftp.c:2117 >#3 0x08052400 in recvrequest (cmd=0x80567f1 "LIST", local=0x8059400 "-", remote=0x0, lmode=0x8056b44 "w", printnames=0) at ftp.c:1288 >#4 0x0804bcb5 in ls (argc=1, argv=0x80650e0) at cmds.c:1429 >#5 0x08055382 in main (argc=-817625725, argv=0xc3010805) at main.c:484 > >Impact >Reading uninitialized variables can result in unpredictable behavior, crashes, >or security holes. > >III.CREDIT: >---------- > >Venustech AD-LAB discovery this vuln. Thank to all Venustech AD-Lab guys. > > >V.DISCLAIMS: >----------- > >The information in this bulletin is provided "AS IS" without warranty of any >kind. In no event shall we be liable for any damages whatsoever including >direct, indirect, incidental, consequential, loss of business profits or >special damages. > >Copyright 1996-2007 VENUSTECH. All Rights Reserved. Terms of use. > > >VENUSTECH Security Lab > >VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn) > > >Security > >Trusted {Solution} Provider > >Service > >Reproducible: Always
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=273771">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 405841
: 273771