Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability

From: Fred Mobach <fred () mobach nl>
Date: Fri, 30 Nov 2001 11:08:25 +0100
"Junius, Martin" wrote:


I just did some tests with RedHat 7.2, glibc-2.2.4-19, and ftpd-BSD-0.3.2.
"ls ~{" makes the ftpd process die in glibc´s glob(pattern="~{", ...)
function with a SEGV. Beside that ftpd-BSD uses globfree() to release
the memory. So as long as glibc's glob() is safe, ftpd-BSD *should*
be safe against this exploit.


SGI's ftp in IRIX 6.5 isn't vulnerable :

erwin 1% uname -a
IRIX erwin 6.5 01221644 IP32

fred@servans:~/a> ftp erwin
Connected to erwin.mobach.nl.
220 erwin.mobach.nl FTP server ready.
Name (erwin:fred): mendel
331 Password required for mendel.
Password:
230 User mendel logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls ~{
500 'EPSV': command not understood.
227 Entering Passive Mode (172,16,21,158,4,241)
150 Opening ASCII mode data connection for '/bin/ls'.
UX:ls: ERROR: Cannot access ~{: No such file or directory
226 Transfer complete.
ftp>

Regards,

Fred
-- 
Fred Mobach - fred () mobach nl - postmaster () mobach nl
Systemhouse Mobach bv - The Netherlands - since 1976

Save Harbour for encumbered Free and Open Source software and links:
http://apache.dataloss.nl/~fred/
Previous By Date Next
Previous By Thread Next

Current thread: