Re: Possible WU-ftpd Worm ?

[lundberg () WU-FTPD ORG (Gregory A Lundberg)]

On Wed, 14 Apr 1999, Stu Alchor wrote:

> As I've run the old ftp exploit I found in the bugtraq and they didn't
> work so I thought we were not vulnerable. I will attach the core of
> the ftp worm (SDI-wu.c), the exploit for the vulnerability, which,
> btw, worked in my host.

>   strcpy ( tmp, "MKD "); strcat ( tmp, buff); strcat ( tmp, "\n");

This is the realpath() overflow discussed in

  http://www.cert.org/advisories/CA-99-03-FTP-Buffer-Overflows.html

Please review that document to determine if your version of the WU-FTPD
daemon is vulnerable.

The addition of a backdoor (if true) is new, however.

Anyone wishing to discuss this matter may contact me through either of the
WU-FTPD discussion lists cc'd above or through private email.



The location of the latest version of wu-ftpd can be found in the
directory

      ftp://ftp.vr.net/pub/wu-ftpd/

wu-ftpd Resource Center:  http://www.landfield.com/wu-ftpd/
wu-ftpd FAQ:              http://www.cetis.hvu.nl/~koos/wu-ftpd-faq.html
wu-ftpd list archive:     http://www.landfield.com/wu-ftpd/mail-archive/

--

Gregory A Lundberg
1441 Elmdale Drive              lundberg () wu-ftpd org
Kettering, OH 45409-1615 USA    1-888-977-5370