[9976] in bugtraq
comment about ftp exploit
daemon@ATHENA.MIT.EDU (Alex Yu)
Thu Mar 25 23:53:35 1999
Date: Tue, 23 Mar 1999 13:52:04 -0500
Reply-To: Alex Yu <ayu1@NYCAP.RR.COM>
From: Alex Yu <ayu1@NYCAP.RR.COM>
To: BUGTRAQ@NETSPACE.ORG
> -----Original Message-----
> From: owner-wu-ftpd@wugate.wustl.edu [mailto:owner-wu-ftpd@wugate.wustl.
> edu] On Behalf Of Gregory A Lundberg
> Sent: Tuesday, March 23, 1999 10:44 AM
> To: Russ Allbery
> Cc: ayu1@nycap.rr.com; wu-ftpd@wugate.wustl.edu
> Subject: Re: FW: ftp exploit
>
>
> On 23 Mar 1999, Russ Allbery wrote:
>
> > > any comments?
> >
> > It's an exploit script for the path overflow bug that's already been
> > announced by CERT, been on all the security lists, and has already
> > been fixed in the latest version of every wu-ftpd variant that I'm
> > aware of as well as being the impetus for the final mainline wu-ftpd
> > release?
>
> Correct. This is a full exploit against Redhat 5.2 (the original advisory
> was based upon a test, not an exploit).
>
> My comment: This posting proves why you need to keep up with the CERT
> mailing list, if not Bugtraq and other lists. As often heppens, the
> exploit followed the discovery of the vulnerability by several weeks.
> While it sometimes happens that exploits are distributed before the daemon
> authors are notified and public security announcement made, this was not
> the case here.
>
>
>
> My testing shows:
>
> This is an exploit using the buffer overflow described in
>
> CERT Advisory CA-99.03 - FTP-Buffer-Overflows
>
> Available from htp://www.CERT.org/
>
> It is directed solely at Redhat CD 4.2 Linux systems running a clean,
> default install. It was not successfull on unclean 5.2 systems, the
> pre-5.2 systems I tested on, or when I built the daemon by-hand instead of
> using a Redhat (S)RPM. My testing showed, while none of the systems I
> have available were exploitable, the exploit WOULD HAVE WORKED but failed
> for identifiable reasons.
>
> Given working code for Redhat 4.2, it should be a fairly simply matter to
> port to non-Linux or non-5.2 systems.
>
>
>
> WHO IS VULNERABLE
> -----------------
>
> - Systems running ALL versions of WU-FTPD _prior_ to 2.4.2 (final),
> including all 2.4.2-beta versions, ARE VULNERABLE, except as noted
> below:
>
> - Systems with proper upload clauses are partially protected. Many
> systems do not use proper upload clauses for real/guest users and are
> NOT protected from abuse by their local users.
>
> - Systems with proper permissions are partially protected. Most systems
> do not use proper permissions for real/guest users since they would
> prevent use by Telnet/SSH/Shell .. such systems are NOT protected from
> their local users.
>
>
>
> WHO IS NOT VULNERABLE
> ---------------------
>
> - Systems running 2.4.2 (final) are protected against _this_ bug. Such
> systems should upgrade to VR16 for maximum security; a number of other
> bugs and security problems have been fixed in VR16.
>
> - Systems running 2.4.2-beta-18-VR10 or later are protected. Anyone
> running VR10 through VR13 should upgrade to VR14 or later at your
> earliest convenience.
>
> - Systems running BeroFTPD 1.2.0 or later are NOT vulnerable. All
> BeroFTPD systems should upgrade to the current version (1.3.4) at their
> earliest conenience. Anyone running a vulnerable system with NEWVIRT,
> will want to immedeately upgrade to BeroFTPD.
>
>
>
> The location of the latest version of wu-ftpd can be found in the
> directory
>
> ftp://ftp.vr.net/pub/wu-ftpd/
>
>wu-ftpd Resource Center: http://www.landfield.com/wu-ftpd/
>wu-ftpd FAQ: http://www.cetis.hvu.nl/~koos/wu-ftpd-faq.html
>wu-ftpd list archive: http://www.landfield.com/wu-ftpd/mail-archive/
>
>--
>
>Gregory A Lundberg Senior Partner, VRnet Company
>1441 Elmdale Drive lundberg+wuftpd@vr.net
>Kettering, OH 45409-1615 USA 1-800-809-2195
