Re: wuftp2.4.2academ beta 12-18 exploit

[gbnewby () ILS UNC EDU (Gregory Newby)]

On Sat, 1 May 1999, Mixter wrote:

> this works on a lot of wu-ftpd`s
> also uses other commands than MKD to
> exploit realpath() overflow

Workaround:

wu-ftpd and variants that use files /etc/ftp* for configuration
can easily help protect you against the many recent variants that
exploit buffer overflows with MKDIR.  All the varieties I've
seen require creating a directory or file - that's where the
overflow happens.

In /etc/ftpaccess, you have the option to specify what commands
may and may not be run by particular users.  Just add lines to
specify that user anonymous (or whatever others you want) cannot
put, delete, mkdir, etc.

E.g., lines like these:

chmod           no              anonymous
delete          no              anonymous
overwrite       no              anonymous
rename          no              anonymous
mkdir           no              anonymous
upload          no              anonymous

Do you want your anonymous users to put files, change files, etc.?
Probably not...and this is where the automated scripts are first going to
try to break in: by anonymous FTP, not another username.  These
lines will prevent the MKD from succeeding, even if you leave a
directory chmod 777.

I tested this with RH Linux 5.2 and ftpd wu-2.4.2-VR17, with the
program Mixter provided and a couple of 777 directories.  Because
the buffer overflow doesn't happen until after a few iterations of
the MKDIR command, I expect this would work on any system using
wu-ftpd variants, because the first iteration of MKDIR or anything
else to create a file/directory would fail.

"man ftpaccess" for details on the /etc/ftpaccess file wu-ftpd
uses.

  -- Greg
// Gregory B. Newby, Assistant Professor in the School of Information
// and Library Science, University of North Carolina at Chapel Hill
// CB# 3360 Manning Hall, Chapel Hill, NC, 27599-3360  E: gbnewby () ils unc edu
// V: 919-962-8064 F: 919-962-8071  W: http://www.ils.unc.edu/~gbnewby/