-----Original Message-----
From: owner-wu-ftpd () wugate wustl edu [mailto:owner-wu-ftpd () wugate wustl
edu] On Behalf Of Gregory A Lundberg
Sent: Tuesday, March 23, 1999 10:44 AM
To: Russ Allbery
Cc: ayu1 () nycap rr com; wu-ftpd () wugate wustl edu
Subject: Re: FW: ftp exploit
On 23 Mar 1999, Russ Allbery wrote:
any comments?
It's an exploit script for the path overflow bug that's already been
announced by CERT, been on all the security lists, and has already
been fixed in the latest version of every wu-ftpd variant that I'm
aware of as well as being the impetus for the final mainline wu-ftpd
release?
Correct. This is a full exploit against Redhat 5.2 (the original advisory
was based upon a test, not an exploit).
My comment: This posting proves why you need to keep up with the CERT
mailing list, if not Bugtraq and other lists. As often heppens, the
exploit followed the discovery of the vulnerability by several weeks.
While it sometimes happens that exploits are distributed before the daemon
authors are notified and public security announcement made, this was not
the case here.
My testing shows:
This is an exploit using the buffer overflow described in
CERT Advisory CA-99.03 - FTP-Buffer-Overflows
Available from htp://www.CERT.org/
It is directed solely at Redhat CD 4.2 Linux systems running a clean,
default install. It was not successfull on unclean 5.2 systems, the
pre-5.2 systems I tested on, or when I built the daemon by-hand instead of
using a Redhat (S)RPM. My testing showed, while none of the systems I
have available were exploitable, the exploit WOULD HAVE WORKED but failed
for identifiable reasons.
Given working code for Redhat 4.2, it should be a fairly simply matter to
port to non-Linux or non-5.2 systems.
WHO IS VULNERABLE
-----------------
- Systems running ALL versions of WU-FTPD _prior_ to 2.4.2 (final),
including all 2.4.2-beta versions, ARE VULNERABLE, except as noted
below:
- Systems with proper upload clauses are partially protected. Many
systems do not use proper upload clauses for real/guest users and are
NOT protected from abuse by their local users.
- Systems with proper permissions are partially protected. Most systems
do not use proper permissions for real/guest users since they would
prevent use by Telnet/SSH/Shell .. such systems are NOT protected from
their local users.
WHO IS NOT VULNERABLE
---------------------
- Systems running 2.4.2 (final) are protected against _this_ bug. Such
systems should upgrade to VR16 for maximum security; a number of other
bugs and security problems have been fixed in VR16.
- Systems running 2.4.2-beta-18-VR10 or later are protected. Anyone
running VR10 through VR13 should upgrade to VR14 or later at your
earliest convenience.
- Systems running BeroFTPD 1.2.0 or later are NOT vulnerable. All
BeroFTPD systems should upgrade to the current version (1.3.4) at their
earliest conenience. Anyone running a vulnerable system with NEWVIRT,
will want to immedeately upgrade to BeroFTPD.
The location of the latest version of wu-ftpd can be found in the
directory
ftp://ftp.vr.net/pub/wu-ftpd/
wu-ftpd Resource Center: http://www.landfield.com/wu-ftpd/
wu-ftpd FAQ: http://www.cetis.hvu.nl/~koos/wu-ftpd-faq.html
wu-ftpd list archive: http://www.landfield.com/wu-ftpd/mail-archive/
--
Gregory A Lundberg Senior Partner, VRnet Company
1441 Elmdale Drive lundberg+wuftpd () vr net
Kettering, OH 45409-1615 USA 1-800-809-2195
Intro
