OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: warchildspoofed.org
Date: Sun Apr 28 2002 - 22:55:31 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Greetings,

    I'm curious if anyone has successfully captured a compromise of a system
    running wu-ftpd via the advisory released late 2001 regarding the file
    globbing heap corruption vulnerability.

    I think it is fairly well known that compromises of a standard linux system
    running a vulnerable version of wu-ftpd are extremely common right now.
    What I haven't heard much about, however, are compromises of non-linux
    systems running a vulnerable version of this daemon.

    I know of a number of systems running a supposedly vulerable version that
    have "had their doors rattled" by what could only be worms or
    banner-grabbing runs. Those systems have since been patched but the doors
    still rattle quite frequently. My ears and other senses tell me that
    perhaps the one or two widely distributed exploits for this particular
    vulnerability are strictly targetting systems for which the _exact_ details
    of the exploit are already known.

    i.e.,

    A RedHat 7.2 system running wu-ftpd-2.6.1 will return a banner similar to
    "Version wu-2.6.1-18", and we know we should use a return address of
    0xdeadb33f. And so on. Someone compiles a list of banners and known
    details of the exploitation for that particular system and distributes it
    in one easy to (ab)use package. Quite similar to x2, the oh-so popular ssh
    toy.

    Sure, a skilled attacker making a directed attack against, say, a Solaris
    or OpenBSD box running wu-ftpd could most likely gain complete control, but
    I can't recall any reports of such attacks.

    Has anyone seen any such attacks? Failed? Successful?

    Thanks in advance,

    -jon

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: honeypots-unsubscribesecurityfocus.com
    For additional commands, e-mail: honeypots-helpsecurityfocus.com
    ---------------------------------------------------------------------
    This list is provided by the SecurityFocus Security Intelligence Alert
    (SIA) Service. For more information on SecurityFocus' SIA service
    which automatically alerts you to the latest security vulnerabilities.
    Please, see: https://alerts.securityfocus.com/