[12318] in bugtraq
Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD
daemon@ATHENA.MIT.EDU (Rami Dass)
Fri Oct 22 12:58:06 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <744DBC8BC3FBD01192C200A0C96BA7BD01D9EFAC@ntx1.cso.uiuc.edu>
Date: Thu, 21 Oct 1999 15:05:22 -0500
Reply-To: Rami Dass <r-dass@NTX1.CSO.UIUC.EDU>
From: Rami Dass <r-dass@NTX1.CSO.UIUC.EDU>
X-To: "trott@SLOWPOISONERS.COM" <trott@SLOWPOISONERS.COM>,
BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Also, I beleive that this problem occurs only in certain OS's vulnerable to
the getcwd() exploit, the ERRATA file, in the 2.6.0 source tree, lists them:
"Systems needing getcwd():
BSD 4.4 (bsd)
Unix 3.x (dec)
DG/UX (dgx)
Dynix (dyn)
generic (gen)
NeXTstep 2.x (nx2)
OSF/1 (osf)
Sony NewsOS (sny)"
So this exploit MIGHT be OS specific and certain OS's running versions prior
to 2.6.0 may not be affected. I did try building 2.6.0 under Solaris 7, and
there were some problems with using "ls".
Incidentally, there has been a patch available to address the getcwd() issue
on the ftp site for wu-ftpd that can be applied to 2.5.0.
-----Original Message-----
From: Richard Trott [mailto:trott@SLOWPOISONERS.COM]
Sent: Wednesday, October 20, 1999 5:17 PM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in
WU-FTPD
> WU-FTPD and BeroFTPD
>
> Vulnerability #1:
>
> Not vulnerable:
> versions 2.4.2 and all betas and earlier versions
> Vulnerable:
> wu-ftpd-2.4.2-beta-18-vr4 through wu-ftpd-2.4.2-beta-18-vr15
> wu-ftpd-2.4.2-vr16 and wu-ftpd-2.4.2-vr17
> wu-ftpd-2.5.0
> BeroFTPD, all versions
CERT appears to have left out wu-ftpd-2.6.0 (although they included it in
the lists for the other two vulnerabilities).
Version 2.6.0 does *not* have the "MAPPING_CHDIR Buffer Overflow"
vulnerability, at least if the ANNOUNCE-RELEASE file for that version is
to be believed. It reads, in part:
"Corrected an error in the MAPPING_CHDIR feature which could be used to
gain root privileges on the server."
Presumably, this refers to this vulnerability.
Rich
