Bugtraq mailing list archives
comment about ftp exploit
From: ayu1 () NYCAP RR COM (Alex Yu)
Date: Tue, 23 Mar 1999 13:52:04 -0500
-----Original Message----- From: owner-wu-ftpd () wugate wustl edu [mailto:owner-wu-ftpd@wugate.wustl. edu] On Behalf Of Gregory A Lundberg Sent: Tuesday, March 23, 1999 10:44 AM To: Russ Allbery Cc: ayu1 () nycap rr com; wu-ftpd () wugate wustl edu Subject: Re: FW: ftp exploit On 23 Mar 1999, Russ Allbery wrote:any comments?It's an exploit script for the path overflow bug that's already been announced by CERT, been on all the security lists, and has already been fixed in the latest version of every wu-ftpd variant that I'm aware of as well as being the impetus for the final mainline wu-ftpd release?Correct. This is a full exploit against Redhat 5.2 (the original advisory was based upon a test, not an exploit). My comment: This posting proves why you need to keep up with the CERT mailing list, if not Bugtraq and other lists. As often heppens, the exploit followed the discovery of the vulnerability by several weeks. While it sometimes happens that exploits are distributed before the daemon authors are notified and public security announcement made, this was not the case here. My testing shows: This is an exploit using the buffer overflow described in CERT Advisory CA-99.03 - FTP-Buffer-Overflows Available from htp://www.CERT.org/ It is directed solely at Redhat CD 4.2 Linux systems running a clean, default install. It was not successfull on unclean 5.2 systems, the pre-5.2 systems I tested on, or when I built the daemon by-hand instead of using a Redhat (S)RPM. My testing showed, while none of the systems I have available were exploitable, the exploit WOULD HAVE WORKED but failed for identifiable reasons. Given working code for Redhat 4.2, it should be a fairly simply matter to port to non-Linux or non-5.2 systems. WHO IS VULNERABLE ----------------- - Systems running ALL versions of WU-FTPD _prior_ to 2.4.2 (final), including all 2.4.2-beta versions, ARE VULNERABLE, except as noted below: - Systems with proper upload clauses are partially protected. Many systems do not use proper upload clauses for real/guest users and are NOT protected from abuse by their local users. - Systems with proper permissions are partially protected. Most systems do not use proper permissions for real/guest users since they would prevent use by Telnet/SSH/Shell .. such systems are NOT protected from their local users. WHO IS NOT VULNERABLE --------------------- - Systems running 2.4.2 (final) are protected against _this_ bug. Such systems should upgrade to VR16 for maximum security; a number of other bugs and security problems have been fixed in VR16. - Systems running 2.4.2-beta-18-VR10 or later are protected. Anyone running VR10 through VR13 should upgrade to VR14 or later at your earliest convenience. - Systems running BeroFTPD 1.2.0 or later are NOT vulnerable. All BeroFTPD systems should upgrade to the current version (1.3.4) at their earliest conenience. Anyone running a vulnerable system with NEWVIRT, will want to immedeately upgrade to BeroFTPD. The location of the latest version of wu-ftpd can be found in the directory ftp://ftp.vr.net/pub/wu-ftpd/ wu-ftpd Resource Center: http://www.landfield.com/wu-ftpd/ wu-ftpd FAQ: http://www.cetis.hvu.nl/~koos/wu-ftpd-faq.html wu-ftpd list archive: http://www.landfield.com/wu-ftpd/mail-archive/ -- Gregory A Lundberg Senior Partner, VRnet Company 1441 Elmdale Drive lundberg+wuftpd () vr net Kettering, OH 45409-1615 USA 1-800-809-2195
Current thread:
- comment about ftp exploit Alex Yu (Mar 23)