[23343] in bugtraq
Re: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption
daemon@ATHENA.MIT.EDU (Fred Mobach)
Fri Nov 30 17:05:19 2001
Message-ID: <3C075A99.424C1A9D@mobach.nl>
Date: Fri, 30 Nov 2001 11:08:25 +0100
From: Fred Mobach <fred@mobach.nl>
MIME-Version: 1.0
To: BUGTRAQ@securityfocus.com
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
"Junius, Martin" wrote:
>
> I just did some tests with RedHat 7.2, glibc-2.2.4-19, and ftpd-BSD-0.3.2.
> "ls ~{" makes the ftpd process die in glibc´s glob(pattern="~{", ...)
> function with a SEGV. Beside that ftpd-BSD uses globfree() to release
> the memory. So as long as glibc's glob() is safe, ftpd-BSD *should*
> be safe against this exploit.
SGI's ftp in IRIX 6.5 isn't vulnerable :
erwin 1% uname -a
IRIX erwin 6.5 01221644 IP32
fred@servans:~/a> ftp erwin
Connected to erwin.mobach.nl.
220 erwin.mobach.nl FTP server ready.
Name (erwin:fred): mendel
331 Password required for mendel.
Password:
230 User mendel logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls ~{
500 'EPSV': command not understood.
227 Entering Passive Mode (172,16,21,158,4,241)
150 Opening ASCII mode data connection for '/bin/ls'.
UX:ls: ERROR: Cannot access ~{: No such file or directory
226 Transfer complete.
ftp>
Regards,
Fred
--
Fred Mobach - fred@mobach.nl - postmaster@mobach.nl
Systemhouse Mobach bv - The Netherlands - since 1976
Save Harbour for encumbered Free and Open Source software and links:
http://apache.dataloss.nl/~fred/
