[16997] in bugtraq
Re: Wu-ftpd 2.6.1(1)
daemon@ATHENA.MIT.EDU (Chris Evans)
Mon Oct 2 17:55:32 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN
Message-ID: <Pine.LNX.4.21.0010021744001.13591-100000@ferret.lmh.ox.ac.uk>
Date: Mon, 2 Oct 2000 17:52:13 +0100
Reply-To: Chris Evans <chris@SCARY.BEASTS.ORG>
From: Chris Evans <chris@SCARY.BEASTS.ORG>
X-To: Javor Ninov <javor@MG-BG.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <001301c02c8d$ca506090$dc20a8c0@mgoracle2000>
Content-Transfer-Encoding: 8bit
On Mon, 2 Oct 2000, Javor Ninov wrote:
> somewhere:/$ ftp 127.0.0.1
[...]
> 230 Guest login ok, access restrictions apply.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> quote %s%s%s%s
> 500 'TP¿9(NULL)': command not understood.
> ftp>quote %s%s%s%s%s
> Segmentation fault
> somewhere:/$ uname -a
> Linux somewhere 2.2.12 #1 Sun Sep 19 13:35:59 EEST 1999 i686 unknown
> somewhere:/$
> This is a Slackware 4.0 with last wuftpd.tgz ( 02-oct-2000 )
In the above sequence, I can clearly see "Segmentation fault".
Does this not suggest that the ftp _client_ is in fault, not the wuftpd
server?
A quick test locally,
ftp> quote %s%s%s%s%s%s
Segmentation fault (core dumped)
[chris@blah chris]$ file core
core: ELF 32-bit LSB core file of 'ftp' (signal 11), ...
So, there is a format string bug in the ftp client. I am currently on a
machine with RedHat-6.1, and:
ftp-0.15-1
Clearly this needs fixing, if it is not already fixed in a more recent
version.
Connecting to a wu-ftpd server with raw telnet:
[chris@blah chris]$ telnet x.x.x.x ftp
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
220 x.x.x.x FTP server (Version wu-2.6.0(1) Fri Jun 23 09:22:33
EDT 2000) ready.
user ftp
331 Guest login ok, send your complete e-mail address as password.
pass chris@
230 Guest login ok, access restrictions apply.
quote %s%s%s%s%s%s%s%s%s%s
500 'QUOTE %s%s%s%s%s%s%s%s%s%s': command not understood.
So the server seems to handle this fine.
Cheers
Chris
