Bugtraq mailing list archives
Re: wu-ftpd fb_realpath() off-by-one bug
From: Jane Smith <incidents2000 () yahoo com>
Date: Thu, 14 Aug 2003 11:01:50 -0700 (PDT)
Hi, I've got an AIX 5.2 server running wu-ftp 2.6.2. I found the "patch" for wu-ftp in the www.wu-ftpd.org website. I modified my source as they indicated for the off-by-one vulnerability and the DOS vulnerability they described. I then re-compiled (./configure; make; make install). The problem is the new ftpd binary does not work correctly. When I use it, if I type "ls -l" (or ls -<any flag>) I get an error: 550 Not enough space. There's plenty of space in all file systems. Any advice on how to fix this problem or how to go about troubleshooting it? Vania --- Przemyslaw Frasunek <venglin () freebsd lublin pl> wrote:
U¿ytkownik Janusz Niewiadomski napisa³:This bug may be non-exploitable if size of thebuffer is greater thanMAXPATHLEN characters. This may occur for exampleif wu-ftpd is compiledwith some versions of Linux kernel where PATH_MAX(and MAXPATHLENaccordingly) is defined to be exactly 4095characters. In such cases,the buffer is padded with an extra byte because ofvariable alignmentwhich is a result of code optimization.Actually, this bug is (probably) also non-exploitable when wu-ftpd is compiled using the gcc 3.x, which aligns stack variables in a different way: (gdb) b fb_realpath Breakpoint 1 at 0x8063c72: file realpath.c, line 103. (gdb) cont Continuing. (gdb) x/bx &resolved[4096] 0xbfffc770: 0x00 (gdb) awatch *0xbfffc770 Hardware access (read/write) watchpoint 2: *3221210992 (gdb) cont Continuing. Hardware access (read/write) watchpoint 2: *3221210992 Value = 0 0x400d81d9 in strcat () from /lib/libc.so.6 In my example (wu-ftpd 2.6.2 compiled on Debian with gcc 3.3.1), the address of NULL-overflowed byte is 0xbfffc770 and the saved %ebp is located at 0xbfffc788: (gdb) info frame 2 Stack frame at 0xbfffc788: eip = 0x8063ae4 in wu_realpath (realpath.c:60); saved eip 0x8053b35 called by frame at 0xbfffe7d8, caller of frame at 0xbfffb748 source language c. Arglist at 0xbfffc788, args: path=0x808cef0 'A' <repeats 200 times>..., resolved_path=0xbfffc7a0 "\001\001", chroot_path=0x8082e60 "" Locals at 0xbfffc788, Previous frame's sp in esp Saved registers: ebx at 0xbfffc784, ebp at 0xbfffc788, eip at 0xbfffc78c I have tested the generic RedHat 8.0 (which provides wu-ftpd-2.6.2-5 compiled with gcc 3.x) and the behaviour was exactly the same. Wu-ftpd suppiled with Debian Woody also seems to be non-exploitable -- it's compiled on kernel 2.2 with PATH_MAX 4095. -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw () frasunek com ** keyId: 2578FCAD | C0613BE3 | EC78FAB5 *
__________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
Current thread:
- Re: wu-ftpd fb_realpath() off-by-one bug Przemyslaw Frasunek (Aug 04)
- Re: wu-ftpd fb_realpath() off-by-one bug Jane Smith (Aug 15)