Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD

[r-dass () NTX1 CSO UIUC EDU (Rami Dass)]

Also, I beleive that this problem occurs only in certain OS's vulnerable to
the getcwd() exploit, the ERRATA file, in the 2.6.0 source tree, lists them:

"Systems needing getcwd():

  BSD 4.4       (bsd)
  Unix 3.x      (dec)
  DG/UX         (dgx)
  Dynix         (dyn)
  generic       (gen)
  NeXTstep 2.x  (nx2)
  OSF/1         (osf)
  Sony NewsOS   (sny)"

So this exploit MIGHT be OS specific and certain OS's running versions prior
to 2.6.0 may not be affected.  I did try building 2.6.0 under Solaris 7, and
there were some problems with using "ls".

Incidentally, there has been a patch available to address the getcwd() issue
on the ftp site for wu-ftpd that can be applied to 2.5.0.

-----Original Message-----
From: Richard Trott [mailto:trott () SLOWPOISONERS COM]
Sent: Wednesday, October 20, 1999 5:17 PM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in
WU-FTPD

> WU-FTPD and BeroFTPD
>
>    Vulnerability #1:
>
>    Not vulnerable:
>           versions 2.4.2 and all betas and earlier versions
>           Vulnerable:
>           wu-ftpd-2.4.2-beta-18-vr4 through wu-ftpd-2.4.2-beta-18-vr15
>           wu-ftpd-2.4.2-vr16 and wu-ftpd-2.4.2-vr17
>           wu-ftpd-2.5.0
>           BeroFTPD, all versions

CERT appears to have left out wu-ftpd-2.6.0 (although they included it in
the lists for the other two vulnerabilities).

Version 2.6.0 does *not* have the "MAPPING_CHDIR Buffer Overflow"
vulnerability, at least if the ANNOUNCE-RELEASE file for that version is
to be believed.  It reads, in part:

"Corrected an error in the MAPPING_CHDIR feature which could be used to
gain root privileges on the server."

Presumably, this refers to this vulnerability.

Rich