[23298] in bugtraq
Re: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption
daemon@ATHENA.MIT.EDU (Andre Oppermann)
Wed Nov 28 20:09:54 2001
Message-ID: <3C057A82.C2258A6E@pipeline.ch>
Date: Thu, 29 Nov 2001 01:00:03 +0100
From: Andre Oppermann <oppermann@pipeline.ch>
MIME-Version: 1.0
To: script0r <script0r@axenet.org>
Cc: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
The FreeBSD ftpd on at least FreeBSD 4.4 and FreeBSD 5.0-current does
not crash but simply provides a normal 'ls' output even though script0r
sees his Linux port of the (Open)BSD ftpd crashing.
--
Andre
script0r wrote:
>
> >
> > --------------------------------------------------------------------------
> -
> > Security Alert
> >
> > Subject: Wu-Ftpd File Globbing Heap Corruption Vulnerability
> > BUGTRAQ ID: 3581 CVE ID: CVE-MAP-NOMATCH
> > Published: Nov 27, 2001 Updated: Nov 28, 2001
> > 01:12:56
> >
> > Remote: Yes Local: No
> > Availability: Always Authentication: Not Required
> > Credibility: Vendor Confirmed Ease: No Exploit
> > Available Class: Failure to Handle Exceptional Conditions
> >
> > Impact: 10.0 Severity: 10.0 Urgency: 8.2
> >
> > Last Change: Initial analysis.
> > --------------------------------------------------------------------------
>
> I am running the a linux port of the bsd ftpd and it might be vulnerable to
> a similar attack,
>
> ftp localhost
> Connected to localhost.
> 220 playlandFTP server (Version 6.5/OpenBSD, linux port 0.3.3) ready.
> Name (localhost:user): ftp
> 331 Guest login ok, type your name as password.
> Password:
> 230 Guest login ok, access restrictions apply.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls ~{
> 200 PORT command successful.
> 421 Service not available, remote server has closed connection
>
> in inetd I find an error stating that the ftpd process has died unexpectedly
>
> Nov 28 14:21:28 playland inetd[82]: pid 16341: exit signal 11
