Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1999-q3

Bugtraq Archives: Re: CERT Advisory CA-99.13 - Multiple Vulnera

Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD

Gregory A Lundberg (lundbergVR.NET)
Fri, 22 Oct 1999 15:24:03 -0400

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: dsiebertENGINEERING.UIOWA.EDU: "HP automountd security bulletin"
Previous message: John LoVerso: "Re: Imagemap CGI overflow exploit"
In reply to: UNYUN: "Imagemap CGI overflow exploit"
Next in thread: Charles M. Richmond: "Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD"
Reply: Charles M. Richmond: "Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD"

On Thu, Oct 21, 1999 at 03:05:22PM -0500, Rami Dass wrote:

> Also, I beleive that this problem occurs only in certain OS's vulnerable
> to the getcwd() exploit, the ERRATA file, in the 2.6.0 source tree, lists
> them:
>
> "Systems needing getcwd():
>
> BSD 4.4 (bsd)
> Unix 3.x (dec)
> DG/UX (dgx)
> Dynix (dyn)
> generic (gen)
> NeXTstep 2.x (nx2)
> OSF/1 (osf)
> Sony NewsOS (sny)"
>
> So this exploit MIGHT be OS specific and certain OS's running versions
> prior to 2.6.0 may not be affected.

The issue you're discussing here is not part of the CERT or AUSCERT
advisories.

It's a well-known fact that getwd() is not a good choice; it overruns
buffers. getcwd() allows bounds checking and should be used instead.

The systems listed above have no getcwd() function, or at least nobody has
reported those systems now have one, so we're still assuming they do not
(notice we're fixing _that_ class of assumptions by switching to autoconf).

Sun operating systems, in particular SunOS, provide the getcwd() function.
Testing has shown the results from that function are not reliable.

In version 2.5.0 we started including a portable version of getcwd() for
systems which do not have the function. In version 2.6.0, we use that
function on SunOS; eliminating the entire getwd()-class of problems.

Note that on the systems listed above, unless the FTP administrator
hand-changes something, the WU-FTPD daemon (version 2.5.0 or 2.6.0) will
not compile. There is a #error statement which stops the compile if
getwd() would be used.

> I did try building 2.6.0 under Solaris 7, and there were some problems
> with using "ls".

The problems with 'ls' are Solaris' ftp client; I understand Sun's had
bugreports filed on it. Our recommendation is to train Sun users to use
'dir' or 'ls -l' instead, or install another vendor's ftp client.

The issue here is the 'ls' command used to work for Sun Solaris users, but
the mget command was unreliable for all users on all platforms. Fixing
mget broke Sun's client. More properly stated, it exposed the brokenness
of Solaris' command-line ftp client.

> Incidentally, there has been a patch available to address the getcwd()
> issue on the ftp site for wu-ftpd that can be applied to 2.5.0.

The patch was for mapping_chdir, not the getcwd problem.

The patches for 2.5.0 only fix vul #1 .. #2 and #3 are only fixed in 2.6.0.

Gregory A Lundberg Senior Partner, VRnet Company 1441 Elmdale Drive lundbergvr.net Kettering, OH 45409-1615 USA 1-800-809-2195

Next message: dsiebertENGINEERING.UIOWA.EDU: "HP automountd security bulletin"
Previous message: John LoVerso: "Re: Imagemap CGI overflow exploit"
In reply to: UNYUN: "Imagemap CGI overflow exploit"
Next in thread: Charles M. Richmond: "Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD"
Reply: Charles M. Richmond: "Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD"

This archive was generated by hypermail 2.0b3 on Mon Oct 25 1999 - 13:41:27 CDT