Bugtraq mailing list archives
Re: WuFTPD: Providing *remote* root since at least1994
From: scut () NB IN-BERLIN DE (Sebastian)
Date: Sat, 1 Jul 2000 10:48:44 +0200
Hi. On Thu, Jun 29, 2000 at 11:20:59AM -0700, Eric Hines wrote:
Has anyone come out with a working version of this exploit script. Both versions provided on the securityfocus.com web site, and or the one distributed here by TF8 is not working, even after I fixed his code. Do we know for sure the thing even exists.. I dunno, can anyone direct me to the actual code, because I have yet to see a working version of it that doesn't CORE dump. Please advise.
Both wuftpd2600.c and bobek.c work after some fiddling in the code. Though there are far superior exploits for this vulnerability out there, that don't even require one single offset to be known. And yes, we know it's exploitable for sure on at least x86 *BSD and Linux. But some comments: In some compilations, especially most of the 2.5.0 versions this vulnerability is not exploitable. To check whether it is just login using telnet, and then try: SITE EXEC |%040d|%.f| In case it is not exploitable it looks like: 200-|%040d|%.f| 200 (end of '|%040d|%.f|') or 200-|0000000000000000000000000000000134650882|???????| 200 (end of '|%040d|%.f|') The first is obvious, someone patched it. The second is because the snprintf.c that comes with wuftpd doesn't provide "%.f" nor "%n" and is safe (although I just took a quick look drunk at 3am, so don't quote me on that). This snprintf.c file is used if the configure/build script detects that the host system doesn't provide a vsnprintf. It does that often, although it has. So in case you see '?' chars in the reply, it is NOT exploitable. A reply from an exploitable system should look like: 200-|0000000000000000000000000000000134650882|2312321| 200 (end of '|%040d|%.f|') (or similar, eg "|NaN|" or "8293.2131").
Eric
ciao, scut / teso -- - scut () nb in-berlin de - http://nb.in-berlin.de/scut/ --- you don't need a -- -- lot of people to be great, you need a few great to be the best ------------ http://3261000594/scut/pgp - 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07 -- data in VK/USA Mayfly experienced, awaiting transfer location, hi echelon -
Current thread:
- Re: BitchX exploit possibly waiting to happen, certain DoS, (continued)
- Re: BitchX exploit possibly waiting to happen, certain DoS Daniel Jacobowitz (Jul 05)
- remote crash BitchX 1.0c16 Colten Edwards (Jul 03)
- Re: remote crash BitchX 1.0c16 Moniz, Troy (Jul 05)
- Oracle Web Listener for AIX DoS Peter Grundl (Jul 04)
- Remote DoS Attack in LocalWEB HTTP Server 1.2.0 Vulnerability Ussr Labs (Jul 04)
- Recovering Passwords in Visible Systems' Razor Clifford, Shawn A (Jul 05)
- proftp advisory lamagra (Jul 05)
- Re: proftp advisory Max Vision (Jul 05)
- Re: proftp advisory Daniel Jacobowitz (Jul 05)
- Secure IRC Fabio Pietrosanti (Jul 06)
- Re: WuFTPD: Providing *remote* root since at least1994 Sebastian (Jul 01)
- Re: WuFTPD: Providing *remote* root since at least1994 Lamagra Argamal (Jul 01)
- Re: WuFTPD: Providing *remote* root since at least1994 Przemyslaw Frasunek (Jul 01)
- Re: WuFTPD: Providing *remote* root since at least1994 Vitaliy Andrusevich (Jul 04)