[117] in Best-of-Security
BoS: ftpd bug (yes, again..)
daemon@ATHENA.MIT.EDU (Vadim Kolontsov)
Sun Apr 13 06:45:13 1997
Date: Sun, 13 Apr 1997 11:34:46 +0400
From: Vadim Kolontsov <vadim@tversu.ac.ru>
Reply-To: best-of-security@suburbia.net
Errors-To: best-of-security-request@suburbia.net
To: best-of-security@suburbia.net
Resent-From: best-of-security@suburbia.net
Hello,
do you remeber a bug with "argc > 100" in ftpd_popen(), when users was
able to kill your ftpd to produce core dump with shadow password? Ok, this bug
(which was reported when 2.1 was the latest release) still presents
in 2.2 & 3.0
Yes, ftpd was patched, but incompletely. It seems that this patches was
never tested (although I didn't check a patch against "kill -11" yet)
Here is an additional patch for 3.0's ftpd
============================== cut here ================================
*** popen.c.old Sun Apr 13 11:22:59 1997
--- popen.c Sun Apr 13 11:23:16 1997
***************
*** 95,101 ****
/* glob each piece */
gargv[0] = argv[0];
! for (gargc = argc = 1; argv[argc] && gargc < (MAXGLOBARGS-1); argc++) {
glob_t gl;
int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
--- 95,101 ----
/* glob each piece */
gargv[0] = argv[0];
! for (gargc = argc = 1; argv[argc] && gargc < (MAXGLOBARGS-1) && argc < MAXUSRARGS; argc++) {
glob_t gl;
int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
============================== cut here ================================
See the source code to understand why previous patch was incomplete -
it's easy...
BTW, wu-ftpd latest beta (13) still can be killed in this way... although
wu-ftpd's maintainer was informed by me about 3 monthes ago.
With best regards, Vadim.
P.S. to test ftpd, do the following:
telnet your.host 21
user ftp (or your userid, if you have no anonymous ftp)
pass ftp@ (or your password)
list x x x x x x x x x x x ... (around 3 lines will be enough ;)
Bugged ftpdwill die here - "Connection closed by foreigh host".
Now look for core dump, extract password, start your Crack :)
--------------------------------------------------------------------------
Vadim Kolontsov SysAdm/Programmer
Tver Regional Center of New Information Technologies Networks Lab
