Bugtraq mailing list archives
Re: WuFTPD: Providing *remote* root since at least1994
From: drow () FALSE ORG (Daniel Jacobowitz)
Date: Thu, 22 Jun 2000 23:28:36 -0700
[ Maybe I'm just out of the loop, but... does no one NOTIFY VENDORS any more? ] On Fri, Jun 23, 2000 at 02:20:11AM +0200, Bernhard Rosenkraenzer wrote:
On Thu, 22 Jun 2000, Elias Levy wrote:/* - wuftpd2600.c * VERY PRIVATE VERSION. DO NOT DISTRIBUTE. 15-10-1999This should fix it... Since the exploit never worked for me in the first time and I haven't taken the time to fix it yet (fixing the bug is more important than fixing the exploit, I guess ;) ), it's unverified though. LLaP bero
Actually, here's a more useful patch. Sorry, thanks for playing. These don't apply to the problem. Content-Description: fix
--- wu-ftpd-2.6.0/src/ftpcmd.y.security Fri Jun 23 01:49:45 2000 +++ wu-ftpd-2.6.0/src/ftpcmd.y Fri Jun 23 01:52:37 2000 @@ -776,7 +776,7 @@ if (!restricted_user && $2 != 0 && $6 != NULL) { char buf[MAXPATHLEN]; if (strlen($6) + 7 <= sizeof(buf)) { - sprintf(buf, "index %s", (char *) $6); + snprintf(buf, MAXPATHLEN, "index %s", (char *) $6);
And it is not needed, since there is a 512 char limit on network input and MAXPATHLEN is generally about 2K Not to mention that could still be overflowable. snprintf() doesn't null terminate.
@@ -1871,6 +1871,10 @@ char *sp = (char *) strchr(cmd, ' '), *slash, *t; FILE *cmdf; + if(strlen(cmd)+strlen(_PATH_EXECPATH)+1 > MAXPATHLEN) { + syslog(LOG_CRIT, "User probably tried SITE EXEC root exploit, refusing!"); + return; + }
And that's useless, since it's checked not far below (about 20 lines, I think).
@@ -1893,7 +1897,7 @@ /* build the command */ if (strlen(_PATH_EXECPATH) + strlen(cmd) + 2 > sizeof(buf)) return; - sprintf(buf, "%s/%s", _PATH_EXECPATH, cmd); + snprintf(buf, MAXPATHLEN, "%s/%s", _PATH_EXECPATH, cmd); cmdf = ftpd_popen(buf, "r", 0); if (!cmdf) {
See first comment. Dan /--------------------------------\ /--------------------------------\ | Daniel Jacobowitz |__| SCS Class of 2002 | | Debian GNU/Linux Developer __ Carnegie Mellon University | | dan () debian org | | dmj+ () andrew cmu edu | \--------------------------------/ \--------------------------------/ <HR NOSHADE> <UL> <LI>text/plain attachment: wuftpd.diff </UL> <HR NOSHADE> <UL> <LI>application/pgp-signature attachment: stored </UL>
Current thread:
- Re: WuFTPD: Providing *remote* root since at least1994 Bernhard Rosenkraenzer (Jun 22)
- Re: WuFTPD: Providing *remote* root since at least1994 Daniel Jacobowitz (Jun 22)
- Re: WuFTPD: Providing *remote* root since at least1994 Marcus Meissner (Jun 23)
- Why pine must never be sgid Stan Bubrouski (Jun 23)
- sawmill5.0.21 old path bug & weak hash algorithm Cashdollar, Larry (Jun 26)
- Re: WuFTPD: Providing *remote* root since at least1994 Tomasz Grabowski (Jun 27)
- Re: WuFTPD: Providing *remote* root since at least1994 Bernhard Rosenkraenzer (Jun 27)
- Re: WuFTPD: Providing *remote* root since at least1994 Gregory A Lundberg (Jun 27)
- ftpd: the advisory version Lamagra Argamal (Jun 23)
- Re: ftpd: the advisory version Bernd Luevelsmeyer (Jun 25)
- Re: ftpd: the advisory version Sebastian (Jun 26)
- [RHSA-2000:037-05] New Linux kernel fixes security bug bugzilla () REDHAT COM (Jun 26)
- Re: ftpd: the advisory version Bernd Luevelsmeyer (Jun 25)
(Thread continues...)
- Re: WuFTPD: Providing *remote* root since at least1994 Daniel Jacobowitz (Jun 22)