Vulnerability Development mailing list archives
Re: Red Hat 6.2's ftp segmentation fault
From: osvaldojaneri () UOL COM BR (Osvaldo J. Filho)
Date: Fri, 23 Jun 2000 15:14:04 -0300
Yes, there is a Wu-FTPD 2.6.0 private exploit around here. I got the exploit too, and it look likes that it works. Change to ProFTPD or NcFTPD. The start of the exploit
/* - wuftpd2600.c * VERY PRIVATE VERSION. DO NOT DISTRIBUTE. 15-10-1999 * * WUFTPD 2.6.0 REMOTE ROOT EXPLOIT * by tf8 * * *NOTE*: For ethical reasons, only an exploit for 2.6.0 will be * released (2.6.0 is the most popular version nowadays), and it * should suffice to proof this vulnerability concept. * * Site exec was never really *fixed*
The exploit uses site exec, but 'put' maybe vulnerable too. Osvaldo Janeri Filho Consultor em Informatica E-Commerce, E-Security, E-Solutions osvaldojaneri () uol com br Fortaleza CearĂ¡ ***************************************************************************** Contato por email : osvaldojaneri () uol com br Telefone: +55 (0xx85) 9181-8528 GnuPG KEY em http://pgp5.ai.mit.edu:11371/pks/lookup?op=get&search=0xE88C7991 ***************************************************************************** On Thu, 22 Jun 2000, Paulo Ribeiro wrote:
Hi, folks. Look what I found this evening (Red Hat Linux 6.2, kernel 2.2.16): [user@my /]$ rpm -q ftp ftp-0.16-3 [user@my /]$ ftp host Connected to host. 220 host FTP server (Version wu-2.6.0(1) Fri Oct 22 00:38:20 CDT 1999) ready. Name (host:user): ftp 331 Guest login ok, send your complete e-mail address as password. Password: 230 Guest login ok, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. ftp> put * Segmentation fault (core dumped) [user@my /]$ gdb ftp core GNU gdb 19991004 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux"... (no debugging symbols found)... Core was generated by `ftp slackware'. Program terminated with signal 11, Segmentation fault. Reading symbols from /usr/kerberos/lib/libgssapi_krb5.so.2... (no debugging symbols found)...done. Reading symbols from /usr/kerberos/lib/libkrb4.so.2... (no debugging symbols found)...done. Reading symbols from /usr/kerberos/lib/libkrb5.so.2... (no debugging symbols found)...done. Reading symbols from /usr/kerberos/lib/libdes425.so.3... (no debugging symbols found)...done. Reading symbols from /usr/kerberos/lib/libk5crypto.so.2... (no debugging symbols found)...done. Reading symbols from /usr/kerberos/lib/libcom_err.so.3... (no debugging symbols found)...done. Reading symbols from /lib/libutil.so.1...done. Reading symbols from /lib/libcrypt.so.1...done. Reading symbols from /lib/libresolv.so.2...done. Reading symbols from /lib/libc.so.6...done. Reading symbols from /lib/ld-linux.so.2...done. Reading symbols from /lib/libnss_files.so.2...done. Reading symbols from /lib/libnss_nisplus.so.2...done. Reading symbols from /lib/libnsl.so.1...done. Reading symbols from /lib/libnss_nis.so.2...done. Reading symbols from /lib/libnss_dns.so.2...done. #0 chunk_free (ar_ptr=0x401fbd60, p=0x8070a34) at malloc.c:3049 3049 malloc.c: No such file or directory.t malloc.c:3049 (gdb) where #0 chunk_free (ar_ptr=0x401fbd60, p=0x8070a34) at malloc.c:3049 #1 0x40166fba in __libc_free (mem=0x8070a3c) at malloc.c:3023 #2 0x804d8a8 in strcpy () at ../sysdeps/generic/strcpy.c:30 #3 0x804b00a in strcpy () at ../sysdeps/generic/strcpy.c:30 #4 0x8055860 in login () #5 0x80555ac in login () #6 0x401259cb in __libc_start_main (main=0x80551c0 <login+24584>, argc=2, argv=0xbffffb44, init=0x8049aa0, fini=0x8057a0c <lstat+88>, rtld_fini=0x4000ae60 <_dl_fini>, stack_end=0xbffffb3c) at ../sysdeps/generic/libc-start.c:92 Any idea? Yours, Paulo Ribeiro.
Current thread:
- Re: Another new worm???, (continued)
- Re: Another new worm??? Harmer, Mike (Jun 21)
- Re: Another new worm??? Frank Town (Jun 21)
- Re: Another new worm??? Justin Lintz (Jun 21)
- Re: Another new worm??? Steve Mosher (Jun 22)
- Re: Another new worm??? Michael S Hines (Jun 23)
- Re: Another new worm??? David Knaack (Jun 22)
- Re: Another new worm??? Jason Legate (Jun 22)
- Re: Another new worm??? David Knaack (Jun 22)
- Re: Another new worm??? Jason Legate (Jun 22)
- Red Hat 6.2's ftp segmentation fault Paulo Ribeiro (Jun 22)
- Re: Red Hat 6.2's ftp segmentation fault Osvaldo J. Filho (Jun 23)
- Re: Red Hat 6.2's ftp segmentation fault Michal Zalewski (Jun 23)
- Re: Red Hat 6.2's ftp segmentation fault Jeff Bachtel (Jun 23)
- Re: Red Hat 6.2's ftp segmentation fault Philip Rowlands (Jun 23)
- Re: Red Hat 6.2's ftp segmentation fault Bluefish (Jun 24)
- Re: Red Hat 6.2's ftp segmentation fault Jim Kinney (Jun 24)
- Re: Red Hat 6.2's ftp segmentation fault Blue Boar (Jun 24)
- Different attack vector - PXE-2.0 protocol Ollie Whitehouse (Jun 25)
- Spoofed FTP connections John Scimone (Jun 25)
- Re: Another new worm??? Justin Lintz (Jun 21)
- Re: Red Hat 6.2's ftp segmentation fault Jason Storm (Jun 24)