http://packetstorm.linuxsecurity.com/filedesc/atftpdx.c.html says: Proof of concept remote root exploit for atftpd version 0.6. Makes use of the filename overflow found by Rick Patel. Related post here. Tested against Debian 3.0. By gunzip
http://packetstorm.linuxsecurity.com/filedesc/atftpd.patch.html says: Simple patch to fix the overflow found in atftpd by Rick Patel. By gunzip The patch is: --- tftpd_file.c Tue Mar 12 05:26:18 2002 +++ tftpd_file_diff.c Thu Jun 5 20:31:06 2003 @@ -357,7 +357,8 @@ else { strcpy(filename, directory); - strncat(filename, data->tftp_options[OPT_FILENAME].value, VAL_SIZE); + strncat(filename, data->tftp_options[OPT_FILENAME].value, + VAL_SIZE - strlen( directory ) - 1 ); } /* If the filename contain /../ sequences, we forbid the access */ http://packages.qa.debian.org/a/atftp.html shows: [2002-04-24] Accepted atftp 0.6.1.1 (source hppa) [2002-04-13] Accepted atftp 0.6.1 (i386 source) [2002-03-31] Accepted atftp 0.6 (i386 source) [2002-02-11] Installed atftp 0.5 (i386 source) [2001-07-21] Installed atftp 0.4 (i386 source) [2001-03-05] Installed atftp 0.3 (i386 source) [2000-12-27] Installed atftp 0.2 (i386 source) [2000-08-21] Installed atftp 0.1 (source i386) and: Testing 0.6.1.1 Stable 0.6 I'm guessing atftp is vulnerable, but without checking I won't file a bug. Checking the code should be easy, but checking if this could actualy be exploited would take a bit more thought. If stable is actualy vulnerable and exploitable then the security team should be co-ordinated with. Drew Daniels -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
