Vulnerability Development mailing list archives

Re: Red Hat 6.2's ftp segmentation fault

From: osvaldojaneri () UOL COM BR (Osvaldo J. Filho)
Date: Fri, 23 Jun 2000 15:14:04 -0300


Yes, there is a Wu-FTPD 2.6.0 private exploit around here. I got the
exploit too, and it look likes that it works. Change to ProFTPD or NcFTPD.

The start of the exploit

/* - wuftpd2600.c
 * VERY PRIVATE VERSION. DO NOT DISTRIBUTE. 15-10-1999
 *
 *  WUFTPD 2.6.0 REMOTE ROOT EXPLOIT
 *   by tf8
 *
 * *NOTE*:  For ethical reasons, only an exploit for 2.6.0 will be
 *     released (2.6.0 is the most popular version nowadays), and it
 *     should suffice to proof this vulnerability concept.
 *
 *   Site exec was never really *fixed*


The exploit uses site exec, but 'put' maybe vulnerable too.

                        Osvaldo Janeri Filho
                      Consultor em Informatica
                 E-Commerce, E-Security, E-Solutions
                      osvaldojaneri () uol com br
                            Fortaleza
                              Ceará

*****************************************************************************
Contato por email : osvaldojaneri () uol com br
Telefone: +55 (0xx85) 9181-8528
GnuPG KEY em
http://pgp5.ai.mit.edu:11371/pks/lookup?op=get&search=0xE88C7991
*****************************************************************************

On Thu, 22 Jun 2000, Paulo Ribeiro wrote:

Hi, folks.

Look what I found this evening (Red Hat Linux 6.2, kernel 2.2.16):

[user@my /]$ rpm -q ftp
ftp-0.16-3
[user@my /]$ ftp host
Connected to host.
220 host FTP server (Version wu-2.6.0(1) Fri Oct 22 00:38:20 CDT 1999)
ready.
Name (host:user): ftp
331 Guest login ok, send your complete e-mail address as password.
Password:
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put *
Segmentation fault (core dumped)
[user@my /]$ gdb ftp core
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "i386-redhat-linux"...
(no debugging symbols found)...
Core was generated by `ftp slackware'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/kerberos/lib/libgssapi_krb5.so.2...
(no debugging symbols found)...done.
Reading symbols from /usr/kerberos/lib/libkrb4.so.2...
(no debugging symbols found)...done.
Reading symbols from /usr/kerberos/lib/libkrb5.so.2...
(no debugging symbols found)...done.
Reading symbols from /usr/kerberos/lib/libdes425.so.3...
(no debugging symbols found)...done.
Reading symbols from /usr/kerberos/lib/libk5crypto.so.2...
(no debugging symbols found)...done.
Reading symbols from /usr/kerberos/lib/libcom_err.so.3...
(no debugging symbols found)...done.
Reading symbols from /lib/libutil.so.1...done.
Reading symbols from /lib/libcrypt.so.1...done.
Reading symbols from /lib/libresolv.so.2...done.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
Reading symbols from /lib/libnss_files.so.2...done.
Reading symbols from /lib/libnss_nisplus.so.2...done.
Reading symbols from /lib/libnsl.so.1...done.
Reading symbols from /lib/libnss_nis.so.2...done.
Reading symbols from /lib/libnss_dns.so.2...done.
#0  chunk_free (ar_ptr=0x401fbd60, p=0x8070a34) at malloc.c:3049
3049    malloc.c: No such file or directory.t malloc.c:3049
(gdb) where
#0  chunk_free (ar_ptr=0x401fbd60, p=0x8070a34) at malloc.c:3049
#1  0x40166fba in __libc_free (mem=0x8070a3c) at malloc.c:3023
#2  0x804d8a8 in strcpy () at ../sysdeps/generic/strcpy.c:30
#3  0x804b00a in strcpy () at ../sysdeps/generic/strcpy.c:30
#4  0x8055860 in login ()
#5  0x80555ac in login ()
#6  0x401259cb in __libc_start_main (main=0x80551c0 <login+24584>,
argc=2,
    argv=0xbffffb44, init=0x8049aa0, fini=0x8057a0c <lstat+88>,
    rtld_fini=0x4000ae60 <_dl_fini>, stack_end=0xbffffb3c)
    at ../sysdeps/generic/libc-start.c:92

Any idea?

Yours,
Paulo Ribeiro.

Current thread:

Re: Another new worm???, (continued)
- Re: Another new worm??? Harmer, Mike (Jun 21)
- Re: Another new worm??? Frank Town (Jun 21)
  - Re: Another new worm??? Justin Lintz (Jun 21)
    - Re: Another new worm??? Steve Mosher (Jun 22)
    - Re: Another new worm??? Michael S Hines (Jun 23)
  - Re: Another new worm??? David Knaack (Jun 22)
    - Re: Another new worm??? Jason Legate (Jun 22)
    - Re: Another new worm??? David Knaack (Jun 22)
    - Re: Another new worm??? Jason Legate (Jun 22)
    - Red Hat 6.2's ftp segmentation fault Paulo Ribeiro (Jun 22)
    - Re: Red Hat 6.2's ftp segmentation fault Osvaldo J. Filho (Jun 23)
    - Re: Red Hat 6.2's ftp segmentation fault Michal Zalewski (Jun 23)
    - Re: Red Hat 6.2's ftp segmentation fault Jeff Bachtel (Jun 23)
    - Re: Red Hat 6.2's ftp segmentation fault Philip Rowlands (Jun 23)
    - Re: Red Hat 6.2's ftp segmentation fault Bluefish (Jun 24)
    - Re: Red Hat 6.2's ftp segmentation fault Jim Kinney (Jun 24)
    - Re: Red Hat 6.2's ftp segmentation fault Blue Boar (Jun 24)
    - Different attack vector - PXE-2.0 protocol Ollie Whitehouse (Jun 25)
    - Spoofed FTP connections John Scimone (Jun 25)
    - Re: Red Hat 6.2's ftp segmentation fault Jason Storm (Jun 24)
- Re: Another new worm??? sigipp () WELLA COM BR (Jun 21)

(Thread continues...)