[15442] in bugtraq
Re: WuFTPD: Providing *remote* root since at least1994
daemon@ATHENA.MIT.EDU (Daniel Jacobowitz)
Fri Jun 23 16:11:58 2000
Mail-Followup-To: Daniel Jacobowitz <drow@false.org>,
Bernhard Rosenkraenzer <bero@redhat.de>,
Elias Levy <aleph1@securityfocus.com>,
wuftpd-members@wu-ftpd.org, bugtraq@securityfocus.com,
vendor-sec@lst.de
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="6sX45UoQRIJXqkqR"
Content-Disposition: inline
Message-Id: <20000622232836.A9789@drow.them.org>
Date: Thu, 22 Jun 2000 23:28:36 -0700
Reply-To: Daniel Jacobowitz <drow@FALSE.ORG>
From: Daniel Jacobowitz <drow@FALSE.ORG>
X-To: Bernhard Rosenkraenzer <bero@redhat.de>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.21.0006230217250.25605-200000@bochum.redhat.de>; from
bero@redhat.de on Fri, Jun 23, 2000 at 02:20:11AM +0200
--6sX45UoQRIJXqkqR
Content-Type: multipart/mixed; boundary="lrZ03NoBR/3+SXJZ"
Content-Disposition: inline
--lrZ03NoBR/3+SXJZ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
[ Maybe I'm just out of the loop, but... does no one NOTIFY VENDORS any
more? ]
On Fri, Jun 23, 2000 at 02:20:11AM +0200, Bernhard Rosenkraenzer wrote:
> On Thu, 22 Jun 2000, Elias Levy wrote:
>=20
> > /* - wuftpd2600.c
> > * VERY PRIVATE VERSION. DO NOT DISTRIBUTE. 15-10-1999
>=20
> This should fix it... Since the exploit never worked for me in the first
> time and I haven't taken the time to fix it yet (fixing the bug is more
> important than fixing the exploit, I guess ;) ), it's unverified though.
>=20
> LLaP
> bero
Actually, here's a more useful patch.
Sorry, thanks for playing. These don't apply to the problem.
Content-Description: fix
> --- wu-ftpd-2.6.0/src/ftpcmd.y.security Fri Jun 23 01:49:45 2000
> +++ wu-ftpd-2.6.0/src/ftpcmd.y Fri Jun 23 01:52:37 2000
> @@ -776,7 +776,7 @@
> if (!restricted_user && $2 !=3D 0 && $6 !=3D NULL) {
> char buf[MAXPATHLEN];
> if (strlen($6) + 7 <=3D sizeof(buf)) {
> - sprintf(buf, "index %s", (char *) $6);
> + snprintf(buf, MAXPATHLEN, "index %s", (char *) $6);
And it is not needed, since there is a 512 char limit on network input
and MAXPATHLEN is generally about 2K
Not to mention that could still be overflowable. snprintf() doesn't
null terminate.
> @@ -1871,6 +1871,10 @@
> char *sp =3D (char *) strchr(cmd, ' '), *slash, *t;
> FILE *cmdf;
> =20
> + if(strlen(cmd)+strlen(_PATH_EXECPATH)+1 > MAXPATHLEN) {
> + syslog(LOG_CRIT, "User probably tried SITE EXEC root exploit, re=
fusing!");
> + return;
> + }
And that's useless, since it's checked not far below (about 20 lines, I
think).
> =20
> @@ -1893,7 +1897,7 @@
> /* build the command */
> if (strlen(_PATH_EXECPATH) + strlen(cmd) + 2 > sizeof(buf))
> return;
> - sprintf(buf, "%s/%s", _PATH_EXECPATH, cmd);
> + snprintf(buf, MAXPATHLEN, "%s/%s", _PATH_EXECPATH, cmd);
> =20
> cmdf =3D ftpd_popen(buf, "r", 0);
> if (!cmdf) {
See first comment.
Dan
/--------------------------------\ /--------------------------------\
| Daniel Jacobowitz |__| SCS Class of 2002 |
| Debian GNU/Linux Developer __ Carnegie Mellon University |
| dan@debian.org | | dmj+@andrew.cmu.edu |
\--------------------------------/ \--------------------------------/
--lrZ03NoBR/3+SXJZ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="wuftpd.diff"
Content-Transfer-Encoding: quoted-printable
diff -ur wu-ftpd-orig/src/ftpcmd.y wu-ftpd-2.6.0/src/ftpcmd.y
--- wu-ftpd-orig/src/ftpcmd.y Wed Oct 13 08:15:28 1999
+++ wu-ftpd-2.6.0/src/ftpcmd.y Thu Jun 22 22:44:41 2000
@@ -1926,13 +1926,13 @@
}
if (!maxfound)
maxlines =3D defmaxlines;
- lreply(200, cmd);
+ lreply(200, "%s", cmd);
while (fgets(buf, sizeof buf, cmdf)) {
size_t len =3D strlen(buf);
=20
if (len > 0 && buf[len - 1] =3D=3D '\n')
buf[--len] =3D '\0';
- lreply(200, buf);
+ lreply(200, "%s", buf);
if (maxlines <=3D 0)
++lines;
else if (++lines >=3D maxlines) {
diff -ur wu-ftpd-orig/src/ftpd.c wu-ftpd-2.6.0/src/ftpd.c
--- wu-ftpd-orig/src/ftpd.c Thu Jun 22 22:23:40 2000
+++ wu-ftpd-2.6.0/src/ftpd.c Thu Jun 22 22:45:23 2000
@@ -3157,7 +3157,7 @@
reply(230, "User %s logged in.%s", pw->pw_name, guest ?
" Access restrictions apply." : "");
sprintf(proctitle, "%s: %s", remotehost, pw->pw_name);
- setproctitle(proctitle);
+ setproctitle("%s", proctitle);
if (logging)
syslog(LOG_INFO, "FTP LOGIN FROM %s, %s", remoteident, pw->pw_name);
/* H* mod: if non-anonymous user, copy it to "authuser" so everyone can
@@ -5912,7 +5912,7 @@
=20
remotehost[sizeof(remotehost) - 1] =3D '\0';
sprintf(proctitle, "%s: connected", remotehost);
- setproctitle(proctitle);
+ setproctitle("%s", proctitle);
=20
wu_authenticate();
/* Create a composite source identification string, to improve the logging
--lrZ03NoBR/3+SXJZ--
--6sX45UoQRIJXqkqR
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE5UwOUbgOPXuCjg3cRAmPgAJ0a07F6MYFJrAO4hLE+40t+XL7NdACdFRtR
wmEsskb9t0vYGxTJYUswwXs=
=QUoN
-----END PGP SIGNATURE-----
--6sX45UoQRIJXqkqR--
