Bugtraq mailing list archives

Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd)

From: hoshem () MEL COMCEN COM AU (Helmethead)
Date: Fri, 30 Jun 2000 14:25:52 +1000


On Thu, Jun 29, 2000 at 10:23:12AM +0000, Joey Maier wrote:

RHSA-2000:039-02: remote root exploit (SITE EXEC) fixed

[...]

A security bug in wu-ftpd can permit remote users, even without
an account, to gain root access.
The new version closes the hole.

2. Relevant releases/architectures:

Red Hat Linux 5.2 - i386 alpha sparc


      (which includes wu-ftpd-2.4.2b18-2.i386.rpm)

Red Hat Linux 6.2 - i386 alpha sparc


      (which includes wu-ftpd-2.6.0-3.i386.rpm)

What about Red Hat 6.0 (includes wu-ftpd-2.4.2vr17-3.i386.rpm) and
6.1 (includes wu-ftpd-2.5.0-9.i386.rpm)? I know that the sploit tf8
released was for version 2.6.0, but earlier versions of wu-ftpd
are vunerable, too.  Does anyone know if Red Hat plans to release
RPMs to fix the 2.5.0 version included in Red Hat 6.1?

--
      "When you understand UNIX, you will understand the world.
       When you understand NT....you will understand NT" - R. Thieme
http://www.slothnet.com


No need, redhat 6.1's wu-ftpd 2.5.0 uses it's stripped down internal *printf instead of the library one, and wu-ftpd's 
internal printf does not recognise the %n formatting directive crucial to this exploit. It isn't vulnerable.

Current thread:

[RHSA-2000:038-01] Zope update, (continued)
- - - [RHSA-2000:038-01] Zope update bugzilla () REDHAT COM (Jun 22)
    - FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options FreeBSD Security Advisories (Jun 22)
    - Re: FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options yeti (Jan 13)
    - Re: rh 6.2 - gid compromises, etc Stan Bubrouski (Jun 22)
    - [SECURITY] New Debian wu-ftpd packages released Daniel Jacobowitz (Jun 23)
    - Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Joey Maier (Jun 29)
    - Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Jim Knoble (Jun 29)
    - Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Andrea Costantino (Jun 29)
    - Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Kenn Humborg (Jun 29)
    - Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Philip Rowlands (Jun 29)
    - Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Helmethead (Jun 29)
    - Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Hugo.van.der.Kooij () CAIW NL (Jun 29)
    - CONECTIVA LINUX SECURITY ANNOUNCEMENT - WU-FTPD Security (Jun 23)
    - Security Update: wu-ftpd vulnerability Technical Support (Jun 23)
  - Re: NAI WebShield SMTP does not scan base64 encoding Andre Albsmeier (Jun 21)
    - Bruce 1.0 EA3: Networked Host-Vulnerability Scanner for Solaris & Linux Keith A. Watson (Jun 21)
    - NetBSD Security Advisory 2000-007 security-officer () NETBSD ORG (Jun 21)
    - Re: NAI WebShield SMTP does not scan base64 encoding Elias Levy (Jun 22)
    - Security Bulletins Digest patrick () PINE NL (Jun 22)
    - Re: NAI WebShield SMTP does not scan base64 encoding chris.paget () ANALYSYS COM (Jun 22)
    - Free mail scanning tool (was Re: NAI WebShield SMTP does not scan base64 encoding) David F. Skoll (Jun 22)

(Thread continues...)