Re: exploiting wu-ftpd

[zen-parse <zen-parse () gmx net>]

The patches have been available over a week now. I think that is long 
enough.

On the 1st of December Przemyslaw Frasunek (venglin () freebsd lublin pl) 
wrote something about getting a wu-ftpd exploit working. The problem he 
was having was to do with the following macro:

#define arena_for_ptr(ptr) \
 (((mchunkptr)(ptr) < top(&main_arena) && (char *)(ptr) >= sbrk_base) ? \
  &main_arena : heap_for_ptr(ptr)->ar_ptr)

He worked around it by making a hacked up version of the malloc function. 

My solution: put the chunk on the heap between sbrk_base and the top value 
of the main_arena.

How? Get the chunk malloc()ed and stored there, then brute force it. (The 
exact position varies depending on a whole lot of things, and brute 
forcing is nice for system admins. They have pretty good evidence that 
there has been an attack. ;])

-- zen-parse

P.S. Apparently there are earlier versions of this exploit floating
around. Many of them are even buggier than this one, and all some of them
will do is add a few hundred K to the log files.

P.P.S Sorry, but it was too much temptation to resist posting it as 
wu261.c. The program is a wrapper for the archive. 


-- 
-------------------------------------------------------------------------
The preceding information is confidential and may not be redistributed
without explicit permission. Legal action may be taken to enforce this.  
If this message was posted by zen-parse () gmx net to a public forum it may
be redistributed as long as these conditions remain attached. If you are
mum or dad, this probably doesn't apply to you.

Attachment: wu261.c
Description: Real wu-ftpd 2.6.1 exploit