Bugtraq mailing list archives
Re: [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x
From: joy () NEVKOS GKVK HR (Josip Rodin)
Date: Wed, 25 Aug 1999 21:11:43 +0200
On Sun, Jul 04, 1999 at 01:38:48PM +0200, Michal Zalewski wrote:
---------------------------- wu-ftpd 2.5, VR and BeroFTPD ---------------------------- Compromise: remote root Solution: add strlen() check somewhere There's an overflow in wu-ftpd 2.5 and prior releases (including VR and BeroFTPD) in mapped_path when mapping current working directory to command-line. While I discovered this vunerability by myself, I don't want to provide exploit code, as all other, hard work has been done independently by someone else. Instead of that, there's a .diff file with patch, attached somewhere as ftpd.diff.
The Debian package of wu-ftpd (2.5.0-3) has just been updated with this patch: --- wu-ftpd-2.5.0.orig/src/ftpd.c +++ wu-ftpd-2.5.0/src/ftpd.c @@ -1243,9 +1246,12 @@ } /* append the dir part with a leading / unless at root */ - if( !(mapped_path[0] == '/' && mapped_path[1] == '\0') ) - strcat( mapped_path, "/" ); - strcat( mapped_path, dir ); + if ( strlen( mapped_path ) + strlen( dir ) < MAXPATHLEN-2 ) { + if( !(mapped_path[0] == '/' && mapped_path[1] == '\0') ) + strcat( mapped_path, "/" ); + strcat( mapped_path, dir ); + } else + syslog( LOG_ERR, "mapped_path overflow: possible exploit attempt" ); } int Correct me if I'm wrong, but it doesn't seem that the wu-ftpd Academ betas (specifically beta 16, included in Debian 2.1 (slink)) are vulnerable. Thus I doubt that our security team will issue an advisory, because this version is present only in the unstable distribution. -- enJoy -*/\*- don't even try to pronounce my first name
Current thread:
- Re: [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x Andreas Jaeger (Aug 24)
- <Possible follow-ups>
- Re: [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x Olaf Kirch (Aug 25)
- Re: [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x Benjamin Smee (Aug 29)
- Re: [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x Michael K. Johnson (Aug 25)
- Re: [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x Michal Zalewski (Jul 04)
- [patch] ProFTPd remote root exploit Nic Bellamy (Aug 29)
- Re: [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x Michael K. Johnson (Aug 25)
- Re: [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x Michal Zalewski (Jul 04)
- Re: [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x Josip Rodin (Aug 25)
- Re: [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x Chris Butler (Aug 28)