|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: WuFTPD: Providing *remote* root since at least1994
From: Daniel Jacobowitz (drow
FALSE.ORG)Date: Fri Jun 23 2000 - 01:28:36 CDT
- Next message: Lamagra Argamal: "ftpd: the advisory version"
- Previous message: Luis Pinto: "Re: Netscape FTP Server - "Professional" as hell :>"
- In reply to: Bernhard Rosenkraenzer: "Re: WuFTPD: Providing *remote* root since at least1994"
- Next in thread: Marcus Meissner: "Re: WuFTPD: Providing *remote* root since at least1994"
- Next in thread: Peter Pentchev: "Re: WuFTPD: Providing *remote* root since at least1994"
- Reply: Daniel Jacobowitz: "Re: WuFTPD: Providing *remote* root since at least1994"
- Reply: Marcus Meissner: "Re: WuFTPD: Providing *remote* root since at least1994"
- Reply: Tomasz Grabowski: "Re: WuFTPD: Providing *remote* root since at least1994"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ Maybe I'm just out of the loop, but... does no one NOTIFY VENDORS any
more? ]
On Fri, Jun 23, 2000 at 02:20:11AM +0200, Bernhard Rosenkraenzer wrote:
> On Thu, 22 Jun 2000, Elias Levy wrote:
>
> > /* - wuftpd2600.c
> > * VERY PRIVATE VERSION. DO NOT DISTRIBUTE. 15-10-1999
>
> This should fix it... Since the exploit never worked for me in the first
> time and I haven't taken the time to fix it yet (fixing the bug is more
> important than fixing the exploit, I guess ;) ), it's unverified though.
>
> LLaP
> bero
Actually, here's a more useful patch.
Sorry, thanks for playing. These don't apply to the problem.
Content-Description: fix
> --- wu-ftpd-2.6.0/src/ftpcmd.y.security Fri Jun 23 01:49:45 2000
> +++ wu-ftpd-2.6.0/src/ftpcmd.y Fri Jun 23 01:52:37 2000
> -776,7 +776,7
> if (!restricted_user && $2 != 0 && $6 != NULL) {
> char buf[MAXPATHLEN];
> if (strlen($6) + 7 <= sizeof(buf)) {
> - sprintf(buf, "index %s", (char *) $6);
> + snprintf(buf, MAXPATHLEN, "index %s", (char *) $6);
And it is not needed, since there is a 512 char limit on network input
and MAXPATHLEN is generally about 2K
Not to mention that could still be overflowable. snprintf() doesn't
null terminate.
> -1871,6 +1871,10
> char *sp = (char *) strchr(cmd, ' '), *slash, *t;
> FILE *cmdf;
>
> + if(strlen(cmd)+strlen(_PATH_EXECPATH)+1 > MAXPATHLEN) {
> + syslog(LOG_CRIT, "User probably tried SITE EXEC root exploit, refusing!");
> + return;
> + }
And that's useless, since it's checked not far below (about 20 lines, I
think).
>
> -1893,7 +1897,7
> /* build the command */
> if (strlen(_PATH_EXECPATH) + strlen(cmd) + 2 > sizeof(buf))
> return;
> - sprintf(buf, "%s/%s", _PATH_EXECPATH, cmd);
> + snprintf(buf, MAXPATHLEN, "%s/%s", _PATH_EXECPATH, cmd);
>
> cmdf = ftpd_popen(buf, "r", 0);
> if (!cmdf) {
See first comment.
Dan
/--------------------------------\ /--------------------------------\
| Daniel Jacobowitz |__| SCS Class of 2002 |
| Debian GNU/Linux Developer __ Carnegie Mellon University |
| dandebian.org | | dmj+andrew.cmu.edu |
\--------------------------------/ \--------------------------------/
- text/plain attachment: wuftpd.diff
- application/pgp-signature attachment: stored
- Next message: Lamagra Argamal: "ftpd: the advisory version"
- Previous message: Luis Pinto: "Re: Netscape FTP Server - "Professional" as hell :>"
- In reply to: Bernhard Rosenkraenzer: "Re: WuFTPD: Providing *remote* root since at least1994"
- Next in thread: Marcus Meissner: "Re: WuFTPD: Providing *remote* root since at least1994"
- Next in thread: Peter Pentchev: "Re: WuFTPD: Providing *remote* root since at least1994"
- Reply: Daniel Jacobowitz: "Re: WuFTPD: Providing *remote* root since at least1994"
- Reply: Marcus Meissner: "Re: WuFTPD: Providing *remote* root since at least1994"
- Reply: Tomasz Grabowski: "Re: WuFTPD: Providing *remote* root since at least1994"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]