Software Engineering Institute

The ftp server in several BSD distributions contains a defect which allows one byte of the program memory allocated within a stack frame to be overwritten with a NUL byte ('\0'). The byte in question is located at the end of a buffer in the function replydirname() in ftpd.c. This buffer contains the name of a directory path to be used by some other calling function.

The first byte following this path name happens to be the lower address of the pointer to the stack frame of the function calling replydirname(). This is the address restored to the extended base pointer when replydirname() terminates. So for example, if the address of the ebp was originally 0xbfffacdc, after the overwrite occurs in replydirname() the ebp will be 0xbfffac00. In effect, Zeroing out the lower byte of the ebp causes the pointer stored in the register to shift by 0xdc (or 220 decimal) bytes.

If the new location being pointed to in memory is under the control of the attacker (as is the case here), a return address chosen by the attacker can be inserted to be used to execute malicious code elsewhere, possibly in the same buffer being used to overwrite the end of the directory name in the first place (as is the case in replydirname())

The vulnerable code in this case is in the replydirname() function in ftpd.c, as explained in OpenBSD's Security Advisory about this problem:

TECHNICAL DETAILS

The offending code is as follows:

\tchar npath[MAXPATHLEN];
int i;

\tfor (i = 0; *name != '\0' && i < sizeof(npath) - 1; i++, name++) {
npath[i] = *name;
if (*name == '"')
npath[++i] = '"';
}
npath[i] = '\0';

In <sys/param.h>, MAXPATHLEN is defined to be 1024 bytes.  The for()
construct here correctly bounds variable `i' to be < 1023, such that when
the loop has ended, no byte past npath[1023] may be written with '\0'.
However, since `i' is also incremented in the nested statements here,
it can become as large as 1024, and npath[1024] is past the end of the
allocated buffer space.

A local or remote user can execute arbitrary code with the privileges of the daemon, typically root.

Apply vendor patches

Disable the ftp service, or ensure no writable directories are accessible in the ftp base directory.