Bugtraq mailing list archives

Re: WuFTPD: Providing remote root since at least1994

From: eric.hines () NUASIS COM (Eric Hines)
Date: Thu, 29 Jun 2000 11:20:59 -0700


Has anyone come out with a working version of this exploit script. Both
versions provided on the securityfocus.com web site, and or the one distributed
here by TF8 is not working, even after I fixed his code.  Do we know for sure
the thing even exists.. I dunno, can anyone direct me to the actual code,
because I have yet to see a working version of it that doesn't CORE dump.
Please advise.

Eric

 On Thu, 29 Jun 2000,
Casper Dik wrote: > >>>>>> "Mouse" == der Mouse <mouse () RODENTS MONTREAL QC CA>
writes: > >

Not to mention that could still be overflowable.  snprintf() doesn't
null terminate.


Mouse> Then IMO it's broken - what's your reference for thinking it doesn't?
Mouse> The only snprintf manpage I have at hand (NetBSD's) says

The behaviour of snprintf() has _changed_. The evil forces of POSIX (as
opposed to the benign forces of POSIX) changed the semantics without
changing the function name. They never learn...


POSIX?  Perhaps you mean X/Open?  X/OPen does guarantee NUL termination.
The return value is, however, not properly specified.

http://www.opengroup.org/onlinepubs/007908799/xsh/fprintf.html

lists undefined behaviour for n < 1 (return a value < 1) and also
appear to indicate it will return atmost "n - 1".

I think a defect report weas issued; X/Open is also likely to
follow C99.

So, if you use snprintf() in portable code, you must either:

- Check to see if it null-terminates


If it doesn't, it's broken.

- Check to see what value it returns (number of bytes copied? number of
bytes it _would_ have copied, if bufflen was infinite? -1 (what's errno)? 0?)


That is something that differs from implementation to implementation; I'm
told even the original one returned bytes copied rather than whatever
sprintf() would have returned.

Also, be aware that snprintf(NULL, 0, fmt, ...) and snprintf(buf, 0, fmt, ...)
are dangerous contructs to use (few implementation return the sprintf()
result in that case)


Since snprintf() shares the printf() formatting engine with the other
functions it can return -1 w/ errno = EILSEQ on UNIX98 compliant systems.
(And probably other errnos too)

However, EILSEQ will only happen for wide char conversions; static
inspection fo the snprintf fmt string willtell you whether or not
you'll encounter them.

Casper


--
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 6.5.2

mQGiBDlP0fgRBADQ6w878kgQ0T1aQOHRHXBu1C+iVUmqDl1R2SE7x+RyoMpYvdTc
8piV4Z2VlbUqf41w9s7jNy3F3M9qj/8EriI7sdmsyyBQiJNonU1lSyaAAWYhqHZ1
DYb0o6PzD3NVctCAsqDoxrHqJlbuuj49pOU0hJcbeIjhy1yupVotV6uB3wCg/zDo
1Swb7FFDHIqDyQ7Kuf+v5r0EAMfm2A/qV4lbXdshRu1o90Wgw0wJwJgjPiU8kelr
T5yVKbBGf6AlkkPagG1+URDZZbKux4pZNn8/GXRubH61vccJ9JUVr9urAQrGhKW9
Hh1BTS1uXbpIMxu1ZquVjEKDS6lao6k6DiamuVEAzL3Ui6R5C/Lfxc0RulijUwZL
Zj6eA/9fL77pYEgDL9VToX3iI21nIDnHxzabbPYjWUBEtRuTJm1nTdBwjhwRzkfZ
h1PrWZ+pYlVMQvIbLhimT6TYRKgXuthuXlC519E81pQB9HK81E1bq5B2JtuhwrdE
hV3UtXihzJc65m4ciSYGnmbuyLMvveYN66hGgSSPrJ3dEtQi/rQiRXJpYyBIaW5l
cyA8ZXJpYy5oaW5lc0BudWFzaXMuY29tPokAVAQQEQIAFAUCOU/R+AUJOGQJAAQL
AwECAhkBAAoJEDBk0XCTfivZAdIAnRELzgdEfu7bG//ObhtZR5Ok2w0YAKCVCopD
ljrpyfJtTP48g7Cx0nbK37kCDQQ5T9H9EAgA9kJXtwh/CBdyorrWqULzBej5UxE5
T7bxbrlLOCDaAadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/c
dlJPPT2N286Z4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaCl
cjrUGvC/RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD
8KVbGI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZ
yAcpesqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwACAgf+
I5IyJ5LMKjItUVMFvgSrbR2xlNXE7iGO4OJy5dgM6tdw0r9u64XccySbFDvQO9cm
khgmF1qrpPLpdqsPxLtUEI87r3xDndejwDUjKWceDdIotbZZ8Hphf064eC4HW7S4
smJPIbuW768fkB9sAIY9aLANcVVnwRyOJBORYDhn3PLUR7xVun1SN+XxKbAJB8lP
HBZ0D6/eOl45WeOjuVh31mZt7XwbQaRl4UV8SnjxQToeOB1ivhqcT8Fmv3lFuXEu
uQZ32yfZSJs0uAj8vhyF0J+lsuwl8QK3VON6ZI/VAElH5P9YUr6AFdDEWfRmoGl+
V6HmN/yLrs2iYbV89PfluIkATAQYEQIADAUCOU/R/QUJOGQJAAAKCRAwZNFwk34r
2fbRAJ93tZZJStohApQmo2ANFtlS6eK8wQCfZvWiu70Yc2Nn9EYRa1iykp8iq34=
=7vK/
-----END PGP PUBLIC KEY BLOCK-----

Current thread:

Re: ftpd: the advisory version, (continued)
- - - Re: ftpd: the advisory version Sebastian (Jun 26)
    - [RHSA-2000:037-05] New Linux kernel fixes security bug bugzilla () REDHAT COM (Jun 26)
  - LeafChat Denial of Service Andrew Lewis (Jun 25)
  - Netscape Enterprise Server for NetWare Virtual Directory Vulnerab ility Peter Grundl (Jun 26)
- Re: WuFTPD: Providing *remote* root since at least1994 Peter Pentchev (Jun 23)
- Re: WuFTPD: Providing *remote* root since at least1994 der Mouse (Jun 25)
  - Re: WuFTPD: Providing *remote* root since at least1994 Mikael Olsson (Jun 26)
    - Re: WuFTPD: Providing *remote* root since at least1994 Theo de Raadt (Jun 27)
  - Re: WuFTPD: Providing *remote* root since at least1994 Carson Gaspar (Jun 27)
    - Re: WuFTPD: Providing *remote* root since at least1994 Casper Dik (Jun 29)
    - Re: WuFTPD: Providing *remote* root since at least1994 Eric Hines (Jun 29)
- Re: WuFTPD: Providing *remote* root since at least1994 der Mouse (Jun 26)
  - Re: WuFTPD: Providing *remote* root since at least1994 Henrik Nordstrom (Jun 27)
    - Re: WuFTPD: Providing *remote* root since at least1994 Theo de Raadt (Jun 28)
    - Re: WuFTPD: Providing *remote* root since at least1994 Valentin Nechayev (Jun 29)
    - Re: WuFTPD: Providing *remote* root since at least1994 Kenn Humborg (Jun 29)
    - Re: WuFTPD: Providing *remote* root since at least1994 Hudin Lucian (Jun 29)
    - Multiple vulnerabilities in Sybergen Secure Desktop anders.ingeborn () INFOSEC SE (Jun 30)
    - SecureXpert Advisory [SX-20000620-2] SecureXpert DIRECT Sender (Jun 30)
  - Re: WuFTPD: Providing *remote* root since at least1994 Bernd Luevelsmeyer (Jun 28)
- Re: WuFTPD: Providing *remote* root since at least1994 Lars Mathiesen (Jun 28)

(Thread continues...)

Bugtraq mailing list archives

Re: WuFTPD: Providing *remote* root since at least1994

Current thread:

Re: WuFTPD: Providing remote root since at least1994