comment about ftp exploit

[ayu1 () NYCAP RR COM (Alex Yu)]

> -----Original Message-----
> From: owner-wu-ftpd () wugate wustl edu [mailto:owner-wu-ftpd@wugate.wustl.
> edu] On Behalf Of Gregory A Lundberg
> Sent: Tuesday, March 23, 1999 10:44 AM
> To: Russ Allbery
> Cc: ayu1 () nycap rr com; wu-ftpd () wugate wustl edu
> Subject: Re: FW: ftp exploit
>
>
> On 23 Mar 1999, Russ Allbery wrote:
>
> > > any comments?
> >
> > It's an exploit script for the path overflow bug that's already been
> > announced by CERT, been on all the security lists, and has already
> > been fixed in the latest version of every wu-ftpd variant that I'm
> > aware of as well as being the impetus for the final mainline wu-ftpd
> > release?
>
> Correct.  This is a full exploit against Redhat 5.2 (the original advisory
> was based upon a test, not an exploit).
>
> My comment: This posting proves why you need to keep up with the CERT
> mailing list, if not Bugtraq and other lists.  As often heppens, the
> exploit followed the discovery of the vulnerability by several weeks.
> While it sometimes happens that exploits are distributed before the daemon
> authors are notified and public security announcement made, this was not
> the case here.
>
>
>
> My testing shows:
>
> This is an exploit using the buffer overflow described in
>
>   CERT Advisory CA-99.03 - FTP-Buffer-Overflows
>
> Available from htp://www.CERT.org/
>
> It is directed solely at Redhat CD 4.2 Linux systems running a clean,
> default install.  It was not successfull on unclean 5.2 systems, the
> pre-5.2 systems I tested on, or when I built the daemon by-hand instead of
> using  a Redhat (S)RPM.  My testing showed, while none of the systems I
> have available were exploitable, the exploit WOULD HAVE WORKED but failed
> for identifiable reasons.
>
> Given working code for Redhat 4.2, it should be a fairly simply matter to
> port to non-Linux or non-5.2 systems.
>
>
>
> WHO IS VULNERABLE
> -----------------
>
>  - Systems running ALL versions of WU-FTPD _prior_ to 2.4.2 (final),
>    including all 2.4.2-beta versions, ARE VULNERABLE, except as noted
>    below:
>
>  - Systems with proper upload clauses are partially protected.  Many
>    systems do not use proper upload clauses for real/guest users and are
>    NOT protected from abuse by their local users.
>
>  - Systems with proper permissions are partially protected.  Most systems
>    do not use proper permissions for real/guest users since they would
>    prevent use by Telnet/SSH/Shell .. such systems are NOT protected from
>    their local users.
>
>
>
> WHO IS NOT VULNERABLE
> ---------------------
>
>  - Systems running 2.4.2 (final) are protected against _this_ bug.  Such
>    systems should upgrade to VR16 for maximum security; a number of other
>    bugs and security problems have been fixed in VR16.
>
>  - Systems running 2.4.2-beta-18-VR10 or later are protected.  Anyone
>    running VR10 through VR13 should upgrade to VR14 or later at your
>    earliest convenience.
>
>  - Systems running BeroFTPD 1.2.0 or later are NOT vulnerable.  All
>    BeroFTPD systems should upgrade to the current version (1.3.4) at their
>    earliest conenience.  Anyone running a vulnerable system with NEWVIRT,
>    will want to immedeately upgrade to BeroFTPD.
>
>
>
> The location of the latest version of wu-ftpd can be found in the
> directory
>
>      ftp://ftp.vr.net/pub/wu-ftpd/
>
> wu-ftpd Resource Center:  http://www.landfield.com/wu-ftpd/
> wu-ftpd FAQ:              http://www.cetis.hvu.nl/~koos/wu-ftpd-faq.html
> wu-ftpd list archive:     http://www.landfield.com/wu-ftpd/mail-archive/
>
> --
>
> Gregory A Lundberg              Senior Partner, VRnet Company
> 1441 Elmdale Drive              lundberg+wuftpd () vr net
> Kettering, OH 45409-1615 USA    1-800-809-2195