Bugtraq mailing list archives

wu-ftpd exploit fix

From: adam () IEXPOSURE COM (Adam Maloney)
Date: Thu, 6 May 1999 14:19:48 -0500


We evaluated the source to the exploit, and made some changes to
realpath.c (found in the /src directory of the wu-ftpd tarball)   After
making these changes, we tried the exploits again on 3 different
machines (that we were able to compromise before) and could no longer
get root.

Interestingly enough, from the code that we saw, there was already code
in the source to handle buffer overflows, but it wasn't implemented for
all of the functions.

Niether I nor my company make any guarantees that these changes will fix
the buffer overflows.  I will say that we have not been able to gain
root through the exploit posted since we made these changes.

This diff is against wu-ftpd 2.4.2b18 (not a VC distro) Here's the diff:

150c150
<             strcpy(result, namebuf);
---

            strncpy(result, namebuf, MAXPATHLEN);

158c158
<                 strcpy(result, namebuf);
---

                strncpy(result, namebuf, MAXPATHLEN);

178c178
<             strcpy(result, namebuf);
---

            strncpy(result, namebuf, MAXPATHLEN);

183c183
<     strcpy(result, workpath);
---

    strncpy(result, workpath, MAXPATHLEN);


Adam Maloney
Systems Administrator
Internet Exposure, Inc.
[612] 922.3126

Current thread:

wuftp2.4.2academ beta 12-18 exploit Mixter (May 01)
- Re: wuftp2.4.2academ beta 12-18 exploit Gregory Newby (May 03)
  - Re: wuftp2.4.2academ beta 12-18 exploit Mariusz Marcinkiewicz (May 05)
  - Re: wuftp2.4.2academ beta 12-18 exploit laq () SWIPNET SE (May 05)
    - Re: wuftp2.4.2academ beta 12-18 exploit laq () SWIPNET SEX (May 07)
  - wu-ftpd exploit fix Adam Maloney (May 06)
    - Re: wu-ftpd exploit fix Jordan Ritter (May 07)
  - Debian, Re: wuftp2.4.2academ beta 12-18 exploit A Mennucc1 (May 07)
- Re: wuftp2.4.2academ beta 12-18 exploit Chad Price (May 04)