[10485] in bugtraq
Re: wuftp2.4.2academ beta 12-18 exploit
daemon@ATHENA.MIT.EDU (laq@SWIPNET.SEX)
Fri May 7 13:47:05 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-9
Content-Transfer-Encoding: QUOTED-PRINTABLE
Message-Id: <Pine.LNX.4.02.9905071028420.350-100000@Liquid.laqqah.net>
Date: Fri, 7 May 1999 10:42:54 +0200
Reply-To: laq@SWIPNET.SEX
From: laq@SWIPNET.SEX
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.4.02.9905051456280.2095-100000@Liquid.laqqah.net>
On Wed, 5 May 1999 laq@SWIPNET.SE wrote:
> > Workaround:
> >
> > wu-ftpd and variants that use files /etc/ftp* for configuration
> > can easily help protect you against the many recent variants that
> > exploit buffer overflows with MKDIR. All the varieties I've
> > seen require creating a directory or file - that's where the
> > overflow happens.
> >
> > In /etc/ftpaccess, you have the option to specify what commands
> > may and may not be run by particular users. Just add lines to
> > specify that user anonymous (or whatever others you want) cannot
> > put, delete, mkdir, etc.
> >
> > E.g., lines like these:
> >
> > chmod no anonymous
> > delete no anonymous
> > overwrite no anonymous
> > rename no anonymous
> > mkdir no anonymous
> > upload no anonymous
>
> if you still want to let anonymous users create directories,
> take a look at path-filter option for that very same file.
>
> # path-filter...
> path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
>
> when i tried the exploit on myself i got alot of "Permission denied (=
pathname)",
> so at least it seems to work.
>
i got some questions about how to make this filter apply to ordinary us=
ers as
well, i might point this out at the list instead of answering each mail=
.
instead of anonymous, use "real" to make the filter apply to any other =
user.
just like:
path-filter real /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
but this would piss users of as they wouldnt be allowed to create .dire=
ctory
which they actually might want to do, and have the right to do.
so here is a cut from my own ftpaccess file:
# path-filter...
path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
path-filter guest /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
path-filter real /etc/pathmsg ^[-A-Za-z0-9_\.]*$
this lets your ordinary users use filenames starting with . and -
but still rejects the exploit, lookie here:
I=FE=E8=AC=FF=FF=FF: Permission denied. (Filename (accept))
550 1A1U=B0I=FE1A=B0I=FE1A1U=B0.I=FE=EBO1A1=C9^=B0'=FE^=FE=C5=B1=EDI=FE=
1A=FE^=B0=3DI=FE1A=BBO=D1=FE=FF=F7U1=C9=B1VI=FEcd /; uname -a;
pwd; id;
=FE=C6=E0=F9^=B0=3D=FE^I=FE1A=FEF=FE=FEF
=B0
=FE=F3=FE=FEV
I=FE=E8=AC=FF=FF=FF: No such file or directory.
257 "/tmp/bin" new directory created.
250 CWD command successful.
257 "/tmp/bin/sh" new directory created.
250 CWD command successful.
550-I don't like crappy filenames..
550-please choose another name for the
550-shit you're trying to send me.
550-
550-Rules:
550-1. only chars A-Z,a-z,0-9,.\- are allowed in filenames
550-2. NO initial . or - in filenames
550
"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=
=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=
=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF=
"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=
=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=
=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF=
":
Permission denied. (Filename (accept))
550
"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=
=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=
=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF=
"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=
=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=
=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF=
":
No such file or directory.
550-I don't like crappy filenames..
550-please choose another name for the
550-shit you're trying to send me.
550-
550-Rules:
550-1. only chars A-Z,a-z,0-9,.\- are allowed in filenames
550-2. NO initial . or - in filenames
550
=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=
=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF=
"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=
=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=
=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF=
"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=
=FF=BF:
Permission denied. (Filename (accept))
550
=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=
=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF=
"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=
=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=
=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF=
"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=
=FF=BF:
No such file or directory.
550-I don't like crappy filenames..
550-please choose another name for the
550-shit you're trying to send me.
550-
550-Rules:
550-1. only chars A-Z,a-z,0-9,.\- are allowed in filenames
550-2. NO initial . or - in filenames
550
"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=
=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=
=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF=
"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=
=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=
=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF=
":
Permission denied. (Filename (accept))
550
"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=
=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=
=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF=
"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=
=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=
=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF=
":
No such file or directory.
550-I don't like crappy filenames..
550-please choose another name for the
550-shit you're trying to send me.
550-
550-Rules:
550-1. only chars A-Z,a-z,0-9,.\- are allowed in filenames
550-2. NO initial . or - in filenames
550
=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=
=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF=
"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=
=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=
=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF=
"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF:
Permission denied. (Filename (accept))
550
=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=
=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF=
"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=
=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=
=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF=
"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF"=FF=BF:
No such file or directory.
500 'CD /; uname -a; pwd; id;': command not understood.
oh, btw, if you want to reply to me, remove the last x from my address,=
i put it
there to hopefully not have to get all those "out of office" messages.
-------------------------------------------
PGP : http://home.swipnet.se/laq/pgpkey.asc
HTTP: http://home.swipnet.se/laq
CELL: 070-7564423
-------------------------------------------
