Bugtraq mailing list archives
RE: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability
From: Craig Leikis <cleikis () superpages com>
Date: Thu, 29 Nov 2001 14:29:00 -0600 (CST)
On Solaris 8, running wu-ftpd 2.6.1(1) ls "~{" didn't cause a problem, but "dir ~{" did. It produced the following log message: Nov 29 13:50:07 xxx ftpd[6132]: [ID 148269 daemon.error] exiting on signal 11 On Thu, 29 Nov 2001, Junius, Martin wrote:
I am running the a linux port of the bsd ftpd and it might be vulnerable to a similar attack, ftp localhost Connected to localhost. 220 playlandFTP server (Version 6.5/OpenBSD, linux port 0.3.3) ready. Name (localhost:user): ftp 331 Guest login ok, type your name as password. Password: 230 Guest login ok, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls ~{ 200 PORT command successful. 421 Service not available, remote server has closed connection in inetd I find an error stating that the ftpd process has died unexpectedly Nov 28 14:21:28 playland inetd[82]: pid 16341: exit signal 11I just did some tests with RedHat 7.2, glibc-2.2.4-19, and ftpd-BSD-0.3.2. "ls ~{" makes the ftpd process die in glibc?s glob(pattern="~{", ...) function with a SEGV. Beside that ftpd-BSD uses globfree() to release the memory. So as long as glibc's glob() is safe, ftpd-BSD *should* be safe against this exploit. On RedHat 6.2, glibc-2.1.3-22, "ls ~{" simply returns "No such file or directory". Martin
Current thread:
- Re: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability, (continued)
- Re: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability script0r (Nov 28)
- Re: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability Andre Oppermann (Nov 28)
- Re: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability David Brownlee (Nov 29)
- Re: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability Rick Kelly (Nov 30)
- Re: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability script0r (Nov 28)
- Re: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability Todd C. Miller (Nov 28)
- Re: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability GiulioMaria Fontana (Nov 29)
- Re: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability Flavio Veloso (Nov 29)
- RE: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability Craig Leikis (Nov 29)
- RE: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability Sandor W. Sklar (Nov 29)
- Re: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability Fred Mobach (Nov 30)