[LaurelLinux] [Fwd: ftpd: the advisory version] (fwd)

Thu Jun 29 23:55:32 EDT 2000

I think every linux distribution has the bug, I am running wu_ftpd on
debian 2.2 potato, downloaded it about a week or two ago. I figured, it's
standard and allows users to upload to their home directories by default,
and enables anonymous ftp by default, I may switch to proftpd, don't know
yet, wu_ftpd is so standard on many systems, and I've seen exploits
available for it for quite awhile that do different things.
At 10:40 PM 6/29/00 -0400, you wrote:
>
>
>thought you folks would find this of interest.
>
>
>---------- Forwarded message ----------
>Date: Thu, 29 Jun 2000 06:07:36 -0400
>From: Eric K. Dickinson <eric at nova.cit.nih.gov>
>Reply-To: eric_dickinson at nih.gov
>To: laurel linux <laurellinux at linuxweb.org>
>Subject: [LaurelLinux] [Fwd: ftpd:  the advisory version]
>
>Roger Fajman wrote:
>> 
>> == Forwarded Mail ==
>> 
>> Date:         Fri, 23 Jun 2000 09:18:22 -0000
>> From: Lamagra Argamal <lamagra at HACKERMAIL.NET>
>> Subject:      ftpd: the advisory version
>> To: BUGTRAQ at SECURITYFOCUS.COM
>> 
>> You might have seen the wuftpd exploit by tf8, he released it in his own
lame way. But now I bring you the story behind it.
>> 
>> The story begins inside the ftpcmd.y file. Which has the ftp commands in
it.
>> The bug is in the site_exec(char *cmd) function. There is calls
lreply(200,cmd);
>> In ftpd.c we find
>> 
>> void lreply(int n, char *fmt,...)
>> ....
>> vreply(USE_REPLY_LONG, n, fmt, ap)
>> ...
>> 
>> and
>> void vreply(long flags, int n, char *fmt, va_list ap)
>> ...
>> vsnprintf(buf + (n ? 4 : 0), n ? sizeof(buf) - 4 : sizeof(buf), fmt, ap)
>> ....
>> 
>> cmd becomes fmt with vsnprintf that's bad. The idea is to put in
formatstrings to get some extra priviledges.
>> We can use %n to overwrite some stuff. eg. overwrite a ret-address or a
null at the end of a buffer (cause an overflow) or change the configuration
or uid like I did in my proftp exploit (check proftp_pcc.c on Packetstorm).
>> 
>> There are some other bugs in site_exec like
>>     for (t = cmd; *t && !isspace(*t); t++) {
>>         if (isupper(*t)) {
>>             *t = tolower(*t);
>>         }
>>     }
>> 
>> Sanitizing stops at a space?? (good thing I didn't tell you this, eh tf8)
>> 
>> Wuftpd is all really buggy code. I prefer proftpd, it has clean,
readable code and it's quite secure.
>> I did some checking and found some minor bugs there too
>> 
>> First in modules/mod_pam.c
>>  /* Allocate our entries...we don't free this because PAM does this for us.
>>    */
>>   pam_user = malloc(strlen(cmd->argv[0]) + 1);
>>   if(pam_user == (char *)0)
>>     return pam_return_type ? ERROR(cmd) : DECLINED(cmd);
>>   sstrncpy(pam_user, cmd->argv[0], strlen(cmd->argv[0]) + 1);
>> 
>>   pam_pass = malloc(strlen(cmd->argv[1]) + 1);
>> 
>> Pam doesn't free these according to me. So this could lead to a
pottential system DoS if abused. Fortunatly proftpd has a limit of 3 on
USER/PASS.
>> 
>> Second:
>> In the set_proc_title(char *fmt,...) function in main.c
>> It constructs a buffer with hostname + user + cmd to replace argv[0]. If
setproctitle(char *fmt,...) is available (only on debian and bsd).
>> It calls setproctitle(statsbuf); what re-opens the old bug
>> Not a big thing since almost nobody has it.
>> 
>> -lamagra
>> http://lamagra.seKure.de
>> http://roothat.labs.pulltheplug.com
>> 
>> Send someone a cool Dynamitemail flashcard greeting!! And get rewarded.
>> GO AHEAD! http://cards.dynamitemail.com/index.php3?rid=fc-41
>
>-- 
>
>Eric K. Dickinson CNE, MCSE, GNU/Linux Geek
>http://dexter.dyndns.com
>NRA Indoor Pistol Master
>_______________________________________________
>LaurelLinux mailing list
>LaurelLinux at piggy.linuxweb.org
>http://piggy.linuxweb.org/mailman/listinfo/laurellinux
>
>
>_______________________________________________
>Speakup mailing list
>Speakup at braille.uwo.ca
>http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
>