[12330] in bugtraq

home help back first fref pref prev next nref lref last post

Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD

daemon@ATHENA.MIT.EDU (Gregory A Lundberg)
Mon Oct 25 16:53:16 1999

Mail-Followup-To: Rami Dass <r-dass@NTX1.CSO.UIUC.EDU>,
                  BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id:  <19991022152401.H3881@vr.net>
Date:         Fri, 22 Oct 1999 15:24:03 -0400
Reply-To: Gregory A Lundberg <lundberg@VR.NET>
From: Gregory A Lundberg <lundberg@VR.NET>
X-To:         Rami Dass <r-dass@NTX1.CSO.UIUC.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <744DBC8BC3FBD01192C200A0C96BA7BD01D9EFAC@ntx1.cso.uiuc.edu>;
              from Rami Dass on Thu, Oct 21, 1999 at 03:05:22PM -0500

On Thu, Oct 21, 1999 at 03:05:22PM -0500, Rami Dass wrote:

> Also, I beleive that this problem occurs only in certain OS's vulnerable
> to the getcwd() exploit, the ERRATA file, in the 2.6.0 source tree, lists
> them:
>
> "Systems needing getcwd():
>
>   BSD 4.4       (bsd)
>   Unix 3.x      (dec)
>   DG/UX         (dgx)
>   Dynix         (dyn)
>   generic       (gen)
>   NeXTstep 2.x  (nx2)
>   OSF/1         (osf)
>   Sony NewsOS   (sny)"
>
> So this exploit MIGHT be OS specific and certain OS's running versions
> prior to 2.6.0 may not be affected.

The issue you're discussing here is not part of the CERT or AUSCERT
advisories.

It's a well-known fact that getwd() is not a good choice; it overruns
buffers.  getcwd() allows bounds checking and should be used instead.

The systems listed above have no getcwd() function, or at least nobody has
reported those systems now have one, so we're still assuming they do not
(notice we're fixing _that_ class of assumptions by switching to autoconf).

Sun operating systems, in particular SunOS, provide the getcwd() function.
Testing has shown the results from that function are not reliable.

In version 2.5.0 we started including a portable version of getcwd() for
systems which do not have the function.  In version 2.6.0, we use that
function on SunOS; eliminating the entire getwd()-class of problems.

Note that on the systems listed above, unless the FTP administrator
hand-changes something, the WU-FTPD daemon (version 2.5.0 or 2.6.0) will
not compile.  There is a #error statement which stops the compile if
getwd() would be used.



> I did try building 2.6.0 under Solaris 7, and there were some problems
> with using "ls".

The problems with 'ls' are Solaris' ftp client; I understand Sun's had
bugreports filed on it.  Our recommendation is to train Sun users to use
'dir' or 'ls -l' instead, or install another vendor's ftp client.

The issue here is the 'ls' command used to work for Sun Solaris users, but
the mget command was unreliable for all users on all platforms.  Fixing
mget broke Sun's client.  More properly stated, it exposed the brokenness
of Solaris' command-line ftp client.



> Incidentally, there has been a patch available to address the getcwd()
> issue on the ftp site for wu-ftpd that can be applied to 2.5.0.

The patch was for mapping_chdir, not the getcwd problem.

The patches for 2.5.0 only fix vul #1 .. #2 and #3 are only fixed in 2.6.0.



--

Gregory A Lundberg              Senior Partner, VRnet Company
1441 Elmdale Drive              lundberg@vr.net
Kettering, OH 45409-1615 USA    1-800-809-2195

home help back first fref pref prev next nref lref last post