[11535] in bugtraq

home help back first fref pref prev next nref lref last post

Re: [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock

daemon@ATHENA.MIT.EDU (Josip Rodin)
Sat Aug 28 01:01:43 1999

Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id:  <19990825211143.A4399@nevkos.gkvk.hr>
Date:         Wed, 25 Aug 1999 21:11:43 +0200
Reply-To: Josip Rodin <joy@NEVKOS.GKVK.HR>
From: Josip Rodin <joy@NEVKOS.GKVK.HR>
X-To:         Michal Zalewski <lcamtuf@IDS.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <lcamtuf.4.05.9907041223290.355-300000@nimue.ids.pl>; from Michal
              Zalewski on Sun, Jul 04, 1999 at 01:38:48PM +0200

On Sun, Jul 04, 1999 at 01:38:48PM +0200, Michal Zalewski wrote:
> ----------------------------
> wu-ftpd 2.5, VR and BeroFTPD
> ----------------------------
>
> Compromise: remote root
>
> Solution: add strlen() check somewhere
>
> There's an overflow in wu-ftpd 2.5 and prior releases (including VR and
> BeroFTPD) in mapped_path when mapping current working directory to
> command-line. While I discovered this vunerability by myself, I don't want
> to provide exploit code, as all other, hard work has been done
> independently by someone else. Instead of that, there's a .diff file with
> patch, attached somewhere as ftpd.diff.

The Debian package of wu-ftpd (2.5.0-3) has just been updated with this
patch:

--- wu-ftpd-2.5.0.orig/src/ftpd.c
+++ wu-ftpd-2.5.0/src/ftpd.c
@@ -1243,9 +1246,12 @@
       }

       /* append the dir part with a leading / unless at root */
-      if( !(mapped_path[0] == '/' && mapped_path[1] == '\0') )
-              strcat( mapped_path, "/" );
-      strcat( mapped_path, dir );
+      if ( strlen( mapped_path ) + strlen( dir ) < MAXPATHLEN-2 ) {
+              if( !(mapped_path[0] == '/' && mapped_path[1] == '\0') )
+                      strcat( mapped_path, "/" );
+              strcat( mapped_path, dir );
+      } else
+	      syslog( LOG_ERR, "mapped_path overflow: possible exploit attempt" );
 }

 int

Correct me if I'm wrong, but it doesn't seem that the wu-ftpd Academ betas
(specifically beta 16, included in Debian 2.1 (slink)) are vulnerable.

Thus I doubt that our security team will issue an advisory, because this
version is present only in the unstable distribution.

--
enJoy -*/\*- don't even try to pronounce my first name
home help back first fref pref prev next nref lref last post