[10217] in bugtraq
Re: Possible WU-ftpd Worm ?
daemon@ATHENA.MIT.EDU (Gregory A Lundberg)
Thu Apr 15 13:24:06 1999
Date: Wed, 14 Apr 1999 13:51:46 -0400
Reply-To: Gregory A Lundberg <lundberg@WU-FTPD.ORG>
From: Gregory A Lundberg <lundberg@WU-FTPD.ORG>
X-To: Stu Alchor <stu@UPD.CEFETSP.BR>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.990414021634.928A-100000@upd.cefetsp.br>
On Wed, 14 Apr 1999, Stu Alchor wrote:
> As I've run the old ftp exploit I found in the bugtraq and they didn't
> work so I thought we were not vulnerable. I will attach the core of
> the ftp worm (SDI-wu.c), the exploit for the vulnerability, which,
> btw, worked in my host.
> strcpy ( tmp, "MKD "); strcat ( tmp, buff); strcat ( tmp, "\n");
This is the realpath() overflow discussed in
http://www.cert.org/advisories/CA-99-03-FTP-Buffer-Overflows.html
Please review that document to determine if your version of the WU-FTPD
daemon is vulnerable.
The addition of a backdoor (if true) is new, however.
Anyone wishing to discuss this matter may contact me through either of the
WU-FTPD discussion lists cc'd above or through private email.
The location of the latest version of wu-ftpd can be found in the
directory
ftp://ftp.vr.net/pub/wu-ftpd/
wu-ftpd Resource Center: http://www.landfield.com/wu-ftpd/
wu-ftpd FAQ: http://www.cetis.hvu.nl/~koos/wu-ftpd-faq.html
wu-ftpd list archive: http://www.landfield.com/wu-ftpd/mail-archive/
--
Gregory A Lundberg
1441 Elmdale Drive lundberg@wu-ftpd.org
Kettering, OH 45409-1615 USA 1-888-977-5370
