‘hpaftpd Multiple Buffer Overflows’


hpaftpd is ‘a high performance anonymous FTP server (RFC 0959). It is designed to run without forks or threads and with low memory usage, so it’s suitable for heavy network traffic with very many connections’. beSTORM found multiple buffer overflows in hpaftpd, these vulnerabilities are caused by improper usage of the insecure sprintf function.’


‘This vulnerability has been found by beSTORM. Visit our web site to download a free 30 day evaluation of beSTORM.’


Vulnerable Systems:
 * hpaftpd version 1.01

The hpaftpd reads receives user provided data using the following code:
n = nb_get(nbc, buf, BUF_SIZE – 1);

While BUF_SIZE is defined as:
#define BUF_SIZE 8192

The same BUF_SIZE is used whenever hpaftpd wants to write something to the log/user, here is one example which is returned once the user has provided a username:
sprintf(obuf, ‘331 Password required for %srn’, ftpc->user);

As you can see, even though ftpc->user is limited to 8192, the obuf is also limited to 8192:
char buf[BUF_SIZE], obuf[BUF_SIZE]; /* Input buffer, output buffer */

Allowing us to supply numerous commands and arguments which in turn will overflow the obuf buffer.

The following commands can be used to overflow the obuf buffer:
 * PASS (with a combination of a USER command)
 * CWD
 * MKD
 * RMD
 * RNTO (with a vald RNFR combination)

Site note:
There appears to be a past attempt to prevent buffer overflows found in the path related functions, as they use snprintf instead of sprintf.’

Categories: News