[LaurelLinux] [Fwd: ftpd: the advisory version] (fwd)

Scott Howell showell at n3byy.yi.org
Thu Jun 29 22:40:40 EDT 2000 

thought you folks would find this of interest.


---------- Forwarded message ----------
Date: Thu, 29 Jun 2000 06:07:36 -0400
From: Eric K. Dickinson <eric at nova.cit.nih.gov>
Reply-To: eric_dickinson at nih.gov
To: laurel linux <laurellinux at linuxweb.org>
Subject: [LaurelLinux] [Fwd: ftpd:  the advisory version]

Roger Fajman wrote:
> 
> == Forwarded Mail ==
> 
> Date:         Fri, 23 Jun 2000 09:18:22 -0000
> From: Lamagra Argamal <lamagra at HACKERMAIL.NET>
> Subject:      ftpd: the advisory version
> To: BUGTRAQ at SECURITYFOCUS.COM
> 
> You might have seen the wuftpd exploit by tf8, he released it in his own lame way. But now I bring you the story behind it.
> 
> The story begins inside the ftpcmd.y file. Which has the ftp commands in it.
> The bug is in the site_exec(char *cmd) function. There is calls lreply(200,cmd);
> In ftpd.c we find
> 
> void lreply(int n, char *fmt,...)
> ....
> vreply(USE_REPLY_LONG, n, fmt, ap)
> ...
> 
> and
> void vreply(long flags, int n, char *fmt, va_list ap)
> ...
> vsnprintf(buf + (n ? 4 : 0), n ? sizeof(buf) - 4 : sizeof(buf), fmt, ap)
> ....
> 
> cmd becomes fmt with vsnprintf that's bad. The idea is to put in formatstrings to get some extra priviledges.
> We can use %n to overwrite some stuff. eg. overwrite a ret-address or a null at the end of a buffer (cause an overflow) or change the configuration or uid like I did in my proftp exploit (check proftp_pcc.c on Packetstorm).
> 
> There are some other bugs in site_exec like
>     for (t = cmd; *t && !isspace(*t); t++) {
>         if (isupper(*t)) {
>             *t = tolower(*t);
>         }
>     }
> 
> Sanitizing stops at a space?? (good thing I didn't tell you this, eh tf8)
> 
> Wuftpd is all really buggy code. I prefer proftpd, it has clean, readable code and it's quite secure.
> I did some checking and found some minor bugs there too
> 
> First in modules/mod_pam.c
>  /* Allocate our entries...we don't free this because PAM does this for us.
>    */
>   pam_user = malloc(strlen(cmd->argv[0]) + 1);
>   if(pam_user == (char *)0)
>     return pam_return_type ? ERROR(cmd) : DECLINED(cmd);
>   sstrncpy(pam_user, cmd->argv[0], strlen(cmd->argv[0]) + 1);
> 
>   pam_pass = malloc(strlen(cmd->argv[1]) + 1);
> 
> Pam doesn't free these according to me. So this could lead to a pottential system DoS if abused. Fortunatly proftpd has a limit of 3 on USER/PASS.
> 
> Second:
> In the set_proc_title(char *fmt,...) function in main.c
> It constructs a buffer with hostname + user + cmd to replace argv[0]. If setproctitle(char *fmt,...) is available (only on debian and bsd).
> It calls setproctitle(statsbuf); what re-opens the old bug
> Not a big thing since almost nobody has it.
> 
> -lamagra
> http://lamagra.seKure.de
> http://roothat.labs.pulltheplug.com
> 
> Send someone a cool Dynamitemail flashcard greeting!! And get rewarded.
> GO AHEAD! http://cards.dynamitemail.com/index.php3?rid=fc-41

-- 

Eric K. Dickinson CNE, MCSE, GNU/Linux Geek
http://dexter.dyndns.com
NRA Indoor Pistol Master
_______________________________________________
LaurelLinux mailing list
LaurelLinux at piggy.linuxweb.org
http://piggy.linuxweb.org/mailman/listinfo/laurellinux

More information about the Speakup mailing list