Re: Red Hat 6.2's ftp segmentation fault

[ofriedrichs () SECURITYFOCUS COM (Oliver Friedrichs)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This looks like a client side bug which has no significance,
security-wise, unless it can be exploited in some way by a malicious
remote FTP server (even then, crashing your ftp client isn't
significant other than an annoyance).  It should be fixed nontheless.

Oliver

> -----Original Message-----
> From: Paulo Ribeiro [mailto:prrar () NITNET COM BR]
> Sent: Thursday, June 22, 2000 4:58 PM
> To: VULN-DEV () SECURITYFOCUS COM
> Subject: Red Hat 6.2's ftp segmentation fault
>
>
> Hi, folks.
>
> Look what I found this evening (Red Hat Linux 6.2, kernel 2.2.16):
>
> [user@my /]$ rpm -q ftp
> ftp-0.16-3
> [user@my /]$ ftp host
> Connected to host.
> 220 host FTP server (Version wu-2.6.0(1) Fri Oct 22 00:38:20 CDT
> 1999) ready.
> Name (host:user): ftp
> 331 Guest login ok, send your complete e-mail address as password.
> Password:
> 230 Guest login ok, access restrictions apply.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> put *
> Segmentation fault (core dumped)
> [user@my /]$ gdb ftp core
> GNU gdb 19991004
> Copyright 1998 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public
> License, and you
> are
> welcome to change it and/or distribute copies of it under certain
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for
> details.
> This GDB was configured as "i386-redhat-linux"...
> (no debugging symbols found)...
> Core was generated by `ftp slackware'.
> Program terminated with signal 11, Segmentation fault.
> Reading symbols from /usr/kerberos/lib/libgssapi_krb5.so.2...
> (no debugging symbols found)...done.
> Reading symbols from /usr/kerberos/lib/libkrb4.so.2...
> (no debugging symbols found)...done.
> Reading symbols from /usr/kerberos/lib/libkrb5.so.2...
> (no debugging symbols found)...done.
> Reading symbols from /usr/kerberos/lib/libdes425.so.3...
> (no debugging symbols found)...done.
> Reading symbols from /usr/kerberos/lib/libk5crypto.so.2...
> (no debugging symbols found)...done.
> Reading symbols from /usr/kerberos/lib/libcom_err.so.3...
> (no debugging symbols found)...done.
> Reading symbols from /lib/libutil.so.1...done.
> Reading symbols from /lib/libcrypt.so.1...done.
> Reading symbols from /lib/libresolv.so.2...done.
> Reading symbols from /lib/libc.so.6...done.
> Reading symbols from /lib/ld-linux.so.2...done.
> Reading symbols from /lib/libnss_files.so.2...done.
> Reading symbols from /lib/libnss_nisplus.so.2...done.
> Reading symbols from /lib/libnsl.so.1...done.
> Reading symbols from /lib/libnss_nis.so.2...done.
> Reading symbols from /lib/libnss_dns.so.2...done.
> #0  chunk_free (ar_ptr=0x401fbd60, p=0x8070a34) at malloc.c:3049
> 3049    malloc.c: No such file or directory.t malloc.c:3049
> (gdb) where
> #0  chunk_free (ar_ptr=0x401fbd60, p=0x8070a34) at malloc.c:3049
> #1  0x40166fba in __libc_free (mem=0x8070a3c) at malloc.c:3023
> #2  0x804d8a8 in strcpy () at ../sysdeps/generic/strcpy.c:30
> #3  0x804b00a in strcpy () at ../sysdeps/generic/strcpy.c:30
> #4  0x8055860 in login ()
> #5  0x80555ac in login ()
> #6  0x401259cb in __libc_start_main (main=0x80551c0 <login+24584>,
> argc=2,
>     argv=0xbffffb44, init=0x8049aa0, fini=0x8057a0c <lstat+88>,
>     rtld_fini=0x4000ae60 <_dl_fini>, stack_end=0xbffffb3c)
>     at ../sysdeps/generic/libc-start.c:92
>
> Any idea?
>
> Yours,
> Paulo Ribeiro.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOVONhcm4FXxxREdXEQIplACfdUnqa0nokMhErT5Kxet8tFvLFCwAn1Sf
ldkdjmQ/vZjk7FvIHMVJSINH
=CnfU
-----END PGP SIGNATURE-----