Bugtraq mailing list archives
Re: WuFTPD: Providing *remote* root since at least1994
From: Marcus.Meissner () CALDERA DE (Marcus Meissner)
Date: Fri, 23 Jun 2000 15:33:59 +0200
On Thu, Jun 22, 2000 at 11:28:36PM -0700, Daniel Jacobowitz wrote:
[ Maybe I'm just out of the loop, but... does no one NOTIFY VENDORS any more? ]
Seems so.
See first comment. Dan diff -ur wu-ftpd-orig/src/ftpcmd.y wu-ftpd-2.6.0/src/ftpcmd.y --- wu-ftpd-orig/src/ftpcmd.y Wed Oct 13 08:15:28 1999 +++ wu-ftpd-2.6.0/src/ftpcmd.y Thu Jun 22 22:44:41 2000
Thank you for the patch. On a side note. While testing the exploit and patch, another not so serious problem showed: $ rpm -q `which ftp` netkit-ftp-0.16-1 $ ftp ftp Connected to <removed>. 220 <removed> FTP server (Version wu-2.5.0(1) Fri Jun 23 14:28:51 CEST 2000) ready. Name (ftp:mm): ftp 331 Guest login ok, send your complete e-mail address as password. Password: 230 Guest login ok, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. ftp> ftp> site exec hello%s 200-hello: T 200 (end of 'hello: ') $ rpm -q ncftp ncftp-3.0beta21-1 $ ncftp ftp ... ncftp / > site exec hello%s hello÷`êÀ± (end of 'hello÷`êÀ') ncftp / > The ftp client seems to happily interpret the %s characters passed back from the command. I am not sure how difficult it is to develop a reverse exploit for this one, but it neithertheless appears to be exploitable. Ciao, Marcus -- _____ ___ / __/____/ / Caldera (Deutschland) GmbH / /_/ __ / /__ Naegelsbachstr. 49c, 91052 Erlangen /_____//_/ /____/ Dipl. Inf. Marcus Meissner, email: mm () caldera de ==== /_____/ ====== phone: ++49 9131 7912-300, fax: ++49 9131 7192-399 Caldera OpenLinux
Current thread:
- Re: WuFTPD: Providing *remote* root since at least1994 Bernhard Rosenkraenzer (Jun 22)
- Re: WuFTPD: Providing *remote* root since at least1994 Daniel Jacobowitz (Jun 22)
- Re: WuFTPD: Providing *remote* root since at least1994 Marcus Meissner (Jun 23)
- Why pine must never be sgid Stan Bubrouski (Jun 23)
- sawmill5.0.21 old path bug & weak hash algorithm Cashdollar, Larry (Jun 26)
- Re: WuFTPD: Providing *remote* root since at least1994 Tomasz Grabowski (Jun 27)
- Re: WuFTPD: Providing *remote* root since at least1994 Bernhard Rosenkraenzer (Jun 27)
- Re: WuFTPD: Providing *remote* root since at least1994 Gregory A Lundberg (Jun 27)
- ftpd: the advisory version Lamagra Argamal (Jun 23)
- Re: ftpd: the advisory version Bernd Luevelsmeyer (Jun 25)
- Re: ftpd: the advisory version Sebastian (Jun 26)
- [RHSA-2000:037-05] New Linux kernel fixes security bug bugzilla () REDHAT COM (Jun 26)
- LeafChat Denial of Service Andrew Lewis (Jun 25)
- Re: ftpd: the advisory version Bernd Luevelsmeyer (Jun 25)
(Thread continues...)
- Re: WuFTPD: Providing *remote* root since at least1994 Daniel Jacobowitz (Jun 22)