[15452] in bugtraq
Re: WuFTPD: Providing *remote* root since at least1994
daemon@ATHENA.MIT.EDU (Marcus Meissner)
Fri Jun 23 17:45:40 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-ID: <20000623153359.A3289@ns.lst.de>
Date: Fri, 23 Jun 2000 15:33:59 +0200
Reply-To: Marcus Meissner <Marcus.Meissner@CALDERA.DE>
From: Marcus Meissner <Marcus.Meissner@CALDERA.DE>
X-To: Daniel Jacobowitz <drow@false.org>,
Bernhard Rosenkraenzer <bero@redhat.de>,
Elias Levy <aleph1@securityfocus.com>,
wuftpd-members@wu-ftpd.org, vendor-sec@lst.de
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000622232836.A9789@drow.them.org>; from drow@false.org on Thu,
Jun 22, 2000 at 11:28:36PM -0700
On Thu, Jun 22, 2000 at 11:28:36PM -0700, Daniel Jacobowitz wrote:
> [ Maybe I'm just out of the loop, but... does no one NOTIFY VENDORS any
> more? ]
Seems so.
> See first comment.
>
> Dan
>
> diff -ur wu-ftpd-orig/src/ftpcmd.y wu-ftpd-2.6.0/src/ftpcmd.y
> --- wu-ftpd-orig/src/ftpcmd.y Wed Oct 13 08:15:28 1999
> +++ wu-ftpd-2.6.0/src/ftpcmd.y Thu Jun 22 22:44:41 2000
Thank you for the patch.
On a side note. While testing the exploit and patch, another not so
serious problem showed:
$ rpm -q `which ftp`
netkit-ftp-0.16-1
$ ftp ftp
Connected to <removed>.
220 <removed> FTP server (Version wu-2.5.0(1) Fri Jun 23 14:28:51 CEST 2000) ready.
Name (ftp:mm): ftp
331 Guest login ok, send your complete e-mail address as password.
Password:
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
ftp> site exec hello%s
200-hello: T
200 (end of 'hello: ')
$ rpm -q ncftp
ncftp-3.0beta21-1
$ ncftp ftp
...
ncftp / > site exec hello%s
hello÷`êÀ±
(end of 'hello÷`êÀ')
ncftp / >
The ftp client seems to happily interpret the %s characters passed back from
the command.
I am not sure how difficult it is to develop a reverse exploit for this one,
but it neithertheless appears to be exploitable.
Ciao, Marcus
--
_____ ___
/ __/____/ / Caldera (Deutschland) GmbH
/ /_/ __ / /__ Naegelsbachstr. 49c, 91052 Erlangen
/_____//_/ /____/ Dipl. Inf. Marcus Meissner, email: mm@caldera.de
==== /_____/ ====== phone: ++49 9131 7912-300, fax: ++49 9131 7192-399
Caldera OpenLinux
