Home page logo
/

bugtraq logo Bugtraq mailing list archives

RE: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability
From: "Junius, Martin" <Martin.Junius () t-systems de>
Date: Thu, 29 Nov 2001 17:46:04 +0100

I am running the a linux port of the bsd ftpd and it might be 
vulnerable to
a similar attack,

ftp localhost
Connected to localhost.
220 playlandFTP server (Version 6.5/OpenBSD, linux port 0.3.3) ready.
Name (localhost:user): ftp
331 Guest login ok, type your name as password.
Password:
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls ~{
200 PORT command successful.
421 Service not available, remote server has closed connection

in inetd I find an error stating that the ftpd process has 
died unexpectedly

Nov 28 14:21:28 playland inetd[82]: pid 16341: exit signal 11

I just did some tests with RedHat 7.2, glibc-2.2.4-19, and ftpd-BSD-0.3.2.
"ls ~{" makes the ftpd process die in glibc´s glob(pattern="~{", ...)
function with a SEGV. Beside that ftpd-BSD uses globfree() to release
the memory. So as long as glibc's glob() is safe, ftpd-BSD *should*
be safe against this exploit.

On RedHat 6.2, glibc-2.1.3-22, "ls ~{" simply returns "No such file
or directory".

Martin


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]