[23325] in bugtraq
Re: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption
daemon@ATHENA.MIT.EDU (Flavio Veloso)
Thu Nov 29 21:22:09 2001
Date: Thu, 29 Nov 2001 09:32:33 -0200 (BRST)
From: Flavio Veloso <flaviovs@magnux.com>
To: script0r <script0r@axenet.org>
Cc: <bugtraq@securityfocus.com>
In-Reply-To: <35684.24.51.95.122.1006990579.squirrel@mail.axenet.org>
Message-ID: <Pine.LNX.4.33.0111290927390.25703-100000@ops.magnux.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=iso-8859-1
Content-Transfer-Encoding: 8BIT
On Wed, 28 Nov 2001, script0r wrote:
> > Subject: Wu-Ftpd File Globbing Heap Corruption Vulnerability
(...)
> I am running the a linux port of the bsd ftpd and it might be vulnerable to
> a similar attack,
>
> ftp localhost
> Connected to localhost.
> 220 playlandFTP server (Version 6.5/OpenBSD, linux port 0.3.3) ready.
> Name (localhost:user): ftp
> 331 Guest login ok, type your name as password.
> Password:
> 230 Guest login ok, access restrictions apply.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls ~{
> 200 PORT command successful.
> 421 Service not available, remote server has closed connection
>
> in inetd I find an error stating that the ftpd process has died unexpectedly
>
> Nov 28 14:21:28 playland inetd[82]: pid 16341: exit signal 11
This may not be related to the wu-ftpd bug. I was just experiencing
the same problem here, but further investigation showed up that it was
due a bug in the glibc implementation of glob(3) (not exploitable,
AFAICT).
See http://sources.redhat.com/ml/bug-glibc/2001-11/msg00109.html for
details.
--
Flávio
