Re: WuFTPD: Providing *remote* root since at least1994

[Marcus.Meissner () CALDERA DE (Marcus Meissner)]

On Thu, Jun 22, 2000 at 11:28:36PM -0700, Daniel Jacobowitz wrote:
> [ Maybe I'm just out of the loop, but... does no one NOTIFY VENDORS any
> more? ]

Seems so.

> See first comment.
>
> Dan
>
> diff -ur wu-ftpd-orig/src/ftpcmd.y wu-ftpd-2.6.0/src/ftpcmd.y
> --- wu-ftpd-orig/src/ftpcmd.y Wed Oct 13 08:15:28 1999
> +++ wu-ftpd-2.6.0/src/ftpcmd.y        Thu Jun 22 22:44:41 2000

Thank you for the patch.

On a side note. While testing the exploit and patch, another not so
serious problem showed:

        $ rpm -q `which ftp`
        netkit-ftp-0.16-1
        $ ftp ftp
        Connected to <removed>.
        220 <removed> FTP server (Version wu-2.5.0(1) Fri Jun 23 14:28:51 CEST 2000) ready.
        Name (ftp:mm): ftp
        331 Guest login ok, send your complete e-mail address as password.
        Password:
        230 Guest login ok, access restrictions apply.
        Remote system type is UNIX.
        Using binary mode to transfer files.
        ftp>
        ftp> site exec hello%s
        200-hello: T
        200  (end of 'hello: ')

        $ rpm -q ncftp
        ncftp-3.0beta21-1
        $ ncftp ftp
        ...
        ncftp / > site exec hello%s
        hello÷`êÀ±
         (end of 'hello÷`êÀ')
        ncftp / >

The ftp client seems to happily interpret the %s characters passed back from
the command.

I am not sure how difficult it is to develop a reverse exploit for this one,
but it neithertheless appears to be exploitable.

Ciao, Marcus

--
      _____     ___
     /  __/____/  /                Caldera (Deutschland) GmbH
    /  /_/ __  / /__          Naegelsbachstr. 49c, 91052 Erlangen
   /_____//_/ /____/       Dipl. Inf. Marcus Meissner, email: mm () caldera de
  ==== /_____/ ======    phone: ++49 9131 7912-300, fax: ++49 9131 7192-399
   Caldera OpenLinux