[23311] in bugtraq
RE: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability
daemon@ATHENA.MIT.EDU (Junius, Martin)
Thu Nov 29 15:20:17 2001
Message-Id: <21380A50AB13D511A16200034723355C8F3176@G8PNU>
From: "Junius, Martin" <Martin.Junius@t-systems.de>
To: BUGTRAQ@securityfocus.com
Date: Thu, 29 Nov 2001 17:46:04 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
> I am running the a linux port of the bsd ftpd and it might be
> vulnerable to
> a similar attack,
>
> ftp localhost
> Connected to localhost.
> 220 playlandFTP server (Version 6.5/OpenBSD, linux port 0.3.3) ready.
> Name (localhost:user): ftp
> 331 Guest login ok, type your name as password.
> Password:
> 230 Guest login ok, access restrictions apply.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls ~{
> 200 PORT command successful.
> 421 Service not available, remote server has closed connection
>
> in inetd I find an error stating that the ftpd process has
> died unexpectedly
>
> Nov 28 14:21:28 playland inetd[82]: pid 16341: exit signal 11
I just did some tests with RedHat 7.2, glibc-2.2.4-19, and ftpd-BSD-0.3.2.
"ls ~{" makes the ftpd process die in glibc´s glob(pattern="~{", ...)
function with a SEGV. Beside that ftpd-BSD uses globfree() to release
the memory. So as long as glibc's glob() is safe, ftpd-BSD *should*
be safe against this exploit.
On RedHat 6.2, glibc-2.1.3-22, "ls ~{" simply returns "No such file
or directory".
Martin
