[17006] in bugtraq
Re: Wu-ftpd 2.6.1(1)
daemon@ATHENA.MIT.EDU (Chris Evans)
Tue Oct 3 00:50:57 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0010022342470.14088-100000@ferret.lmh.ox.ac.uk>
Date: Mon, 2 Oct 2000 23:57:57 +0100
Reply-To: Chris Evans <chris@SCARY.BEASTS.ORG>
From: Chris Evans <chris@SCARY.BEASTS.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <NDBBJJFGOLBDCDMLIGBLGENLCAAA.erik@digitaloffense.net>
[I wrote erroneously]
> -----Original Message-----
> quote %s%s%s%s%s%s%s%s%s%s
> 500 'QUOTE %s%s%s%s%s%s%s%s%s%s': command not understood.
D'oh, of course the FTP client quote command is not an FTP protocol
command.
In case anyone cares, I isolated the _client_ bug which started this whole
thread.
In ftp/cmds.c: quote1()
...
if (command(buf) == PRELIM) {
while (getreply(0) == PRELIM);
}
...
The command() call is a varargs and the first argument is in fact
eventually passed as a format string to vsprintf().
It has been fixed in some but not all codebases derived from bsd-ftp. For
example it is fixed in Linux netkit-0.17-pre20000412;
...
if (command("%s", buf) == PRELIM) {
while (getreply(0) == PRELIM);
}
...
But all this is highly uninteresting because the segfault occurs in
response to what a user types in at the ftp> prompt, NOT in response to
anything a malicious server might be sending out.
Cheers
Chris
