[252] in linux-security and linux-alert archive
Re: Wu-ftpd.
daemon@ATHENA.MIT.EDU (Thomas Lundquist)
Tue May 30 21:41:10 1995
Date: Tue, 30 May 1995 21:43:14 +0200 (GMT+0200)
From: Thomas Lundquist <safety@castle.hiof.no>
To: thomas <safety@castle.hiof.no>
cc: linux-security@tarsier.cv.nrao.edu, jimmyo@frodo.hiof.no
In-Reply-To: <Pine.LNX.3.91.950529205624.23863A-100000@castle>
On Mon, 29 May 1995, the Linux security list wrote:
As previously stated (to recap) this thing does only work if you are a
user on the system. Altho, if the /etc/ftpaccess is configured wrongly it
may be possible for anonymous too.
I have "hacked" the source and made a version that logs the exec and
returns a NONO to the user. And of course does not execute the command.
I know this change works, but since it's there in the first place it has to
have a use. What use I haven't noticed yet.
I can down and upload files as before.
The following diff can be patched to src/ftpcmd.y in the wu-ftpd
source (version 2.4) It's a simple diff. I am sure it can be done in a
more neater way tho.
Thomas.
[mod: I trimmed the quoting somewhat. I'd also like to ask people posting
patches to send context diffs or unified diffs. They're easier
to read and have a higher chance of being applicable to newer
versions of the same program as well. Lastly, let me repeat that
there's an easy fix for this hole: simply set the EXECPATH
define in src/pathnames.h to a non-existent directory such as
/bin/ftp-exec. --okir]
--- cut here ---
1429a1430,1432
> /*
> * The declarations belov it kept to be sure we don't break too much.
> */
1434c1437,1440
< /* sanitize the command-string */
---
> /* Nope! We don't want to EXEC anythig..
> * So, we will deny the moron and log him.
> * Thomas.Lundquist@hiof.no May '95
> */
1436,1462c1442,1445
< if (sp == 0) {
< while ((slash = strchr (cmd, '/')) != 0)
< cmd = slash + 1;
< } else {
< while (sp && (slash = (char *) strchr(cmd, '/'))
< && (slash < sp))
< cmd = slash+1;
< }
<
< for (t = cmd; *t && !isspace(*t); t++) {
< if (isupper(*t)) {
< *t = tolower(*t);
< }
< }
<
< /* build the command */
< if (strlen(_PATH_EXECPATH) + strlen(cmd) + 1 > sizeof(buf))
< return;
< sprintf(buf, "%s/%s", _PATH_EXECPATH, cmd);
<
< cmdf = ftpd_popen(buf, "r", 0);
< if (!cmdf) {
< perror_reply(550, cmd);
< if (log_commands)
< syslog(LOG_INFO, "SITE EXEC (FAIL: %m): %s", cmd);
< } else {
< int lines = 0;
---
> /* I have logged it as critical, another choice may be warning.
> * That is LOG_WARNING (see sys/syslog.h for the choises.)
> */
> syslog(LOG_CRIT, "ATTEMPT: SITE EXEC, Command: %s ", cmd);
1464,1466c1447,1449
< lreply(200, cmd);
< while (fgets(buf, sizeof buf, cmdf)) {
< int len = strlen(buf);
---
> /* The reply can of course be changed to a more polite denial..:=)
> */
> reply(200, "No freaking way!");
1468,1480d1450
< if (len>0 && buf[len-1]=='\n')
< buf[--len] = '\0';
< lreply(200, buf);
< if (++lines >= 20) {
< lreply(200, "*** Truncated ***");
< break;
< }
< }
< reply(200, " (end of '%s')", cmd);
< if (log_commands)
< syslog(LOG_INFO, "SITE EXEC (lines: %d): %s", lines, cmd);
< ftpd_pclose(cmdf);
< }
