Vulnerability Development mailing list archives
Re: some ftpd implementations mishandle CWD ~{
From: Matt Power <mhpower () BOS BINDVIEW COM>
Date: Thu, 10 May 2001 00:41:50 -0400
On Wed, 2 May 2001 15:10:47 +0200, Christian Hammers <ch () WESTEND COM> wrote:
... you say that the server is DOS'able from remote... Or maybe it's just the one thread that crashes and the main server will handle others connections further on. (I haven't had time to really look at this)
Typically connections would be accepted by inetd or some other program that has a similar role (tcpserver, xinetd, etc.). Here are some further details about what I originally posted:
(1) wu-ftpd 2.6.1 on Linux ... ... behavior of server: segmentation fault ...
Some people have stated that the segmentation fault in wu-ftpd is due to dereferencing a NULL pointer. This might be true in some environments, but on (for example) Red Hat 6.1 Linux, the segmentation fault is due to a call to munmap with a specific non-zero address that happens to not refer to a valid memory location. In general, at the application level, the problem occurs because free is called with an incorrect argument. This is a non-zero argument in the Linux case. I've also been asked about when the code that leads to the segmentation fault (i.e., the "blkfree(&globlist[1])" code) was added to the ftpd. It was added in between wu-ftpd-2.4.2-beta-13 and wu-ftpd-2.4.2-beta-14. The change might be related to this section in the FIXES-2.4.2-BETA-14 file: "contains a number of fixes for various memory leaks in the glob routines as well as some logic problem in the processing of the ABOR verb"
(2) NetBSD 1.5T ... ... ftpd banner: 220 hostname FTP server (NetBSD-ftpd 20010329) ready.
...
Off hand, it looks like the server is responding with data from an inappropriate memory location. ...
vendor response: As of 2001/04/17, (ftpd version string "20010417a"), NetBSD's ftpd doesn't use glob(3) for explicit ~ processing in pathnames, so it's not vulnerable to this particular attack.
There isn't any ftpd for which I've found an exploit by which the "CWD ~{" behavior can be leveraged to allow execution of significantly undesirable code.
Still the same, and I haven't heard of anyone else finding an exploit. Matt Power BindView Corporation, RAZOR Team mhpower () bos bindview com
Current thread:
- Re: some ftpd implementations mishandle CWD ~{ Matt Power (May 10)