7590816 2001-11-28 10:05 -0700 /450 rader/ Dave Ahmad <da@securityfocus.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-11-28 20:12 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <19904>
Markerad av 1 person.
Ärende: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability
------------------------------------------------------------
From: Dave Ahmad <da@securityfocus.com>
To: <bugtraq@securityfocus.com>
Message-ID: <Pine.GSO.4.30.0111280946160.20852-100000@mail.securityfocus.com>
---------------------------------------------------------------------------
Security Alert
Subject: Wu-Ftpd File Globbing Heap Corruption Vulnerability
BUGTRAQ ID: 3581 CVE ID: CVE-MAP-NOMATCH
Published: Nov 27, 2001 Updated: Nov 28, 2001 01:12:56
Remote: Yes Local: No
Availability: Always Authentication: Not Required
Credibility: Vendor Confirmed Ease: No Exploit Available
Class: Failure to Handle Exceptional Conditions
Impact: 10.0 Severity: 10.0 Urgency: 8.2
Last Change: Initial analysis.
---------------------------------------------------------------------------
Vulnerable Systems:
Washington University wu-ftpd 2.6.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1
+ Cobalt Qube 1.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ MandrakeSoft Corporate Server 1.0.1
+ MandrakeSoft Linux Mandrake 8.1
+ MandrakeSoft Linux Mandrake 8.0 ppc
+ MandrakeSoft Linux Mandrake 8.0
+ MandrakeSoft Linux Mandrake 7.2
+ MandrakeSoft Linux Mandrake 7.1
+ MandrakeSoft Linux Mandrake 7.0
+ MandrakeSoft Linux Mandrake 6.1
+ MandrakeSoft Linux Mandrake 6.0
+ RedHat Linux 7.2 noarch
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i686
+ RedHat Linux 7.2 i586
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 athlon
+ RedHat Linux 7.2 alpha
+ RedHat Linux 7.1 noarch
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i686
+ RedHat Linux 7.1 i586
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 sparc
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ TurboLinux TL Workstation 6.1
+ TurboLinux Turbo Linux 6.0.5
+ TurboLinux Turbo Linux 6.0.4
+ TurboLinux Turbo Linux 6.0.3
+ TurboLinux Turbo Linux 6.0.2
+ TurboLinux Turbo Linux 6.0.1
+ TurboLinux Turbo Linux 6.0
+ Wirex Immunix OS 7.0-Beta
+ Wirex Immunix OS 7.0
Washington University wu-ftpd 2.6.0
+ Cobalt Qube 1.0
+ Conectiva Linux 5.1
+ Conectiva Linux 5.0
+ Conectiva Linux 4.2
+ Conectiva Linux 4.1
+ Conectiva Linux 4.0es
+ Conectiva Linux 4.0
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ RedHat Linux 6.1 sparc
+ RedHat Linux 6.1 i386
+ RedHat Linux 6.1 alpha
+ RedHat Linux 6.0 sparc
+ RedHat Linux 6.0 i386
+ RedHat Linux 6.0 alpha
+ RedHat Linux 5.2 sparc
+ RedHat Linux 5.2 i386
+ RedHat Linux 5.2 alpha
+ S.u.S.E. Linux 6.4ppc
+ S.u.S.E. Linux 6.4alpha
+ S.u.S.E. Linux 6.4
+ S.u.S.E. Linux 6.3 ppc
+ S.u.S.E. Linux 6.3 alpha
+ S.u.S.E. Linux 6.3
+ S.u.S.E. Linux 6.2
+ S.u.S.E. Linux 6.1 alpha
+ S.u.S.E. Linux 6.1
+ TurboLinux Turbo Linux 4.0
+ Wirex Immunix OS 6.2
Washington University wu-ftpd 2.5.0
+ Caldera eDesktop 2.4
+ Caldera eServer 2.3.1
+ Caldera eServer 2.3
+ Caldera OpenLinux 2.4
+ Caldera OpenLinux Desktop 2.3
+ RedHat Linux 6.0 sparc
+ RedHat Linux 6.0 i386
+ RedHat Linux 6.0 alpha
Summary:
Wu-Ftpd contains a remotely exploitable heap corruption bug.
Impact:
A remote attacker may execute arbitrary code on the vulnerable
server.
Technical Description:
Wu-Ftpd is an ftp server based on the BSD ftpd that is maintained
by Washington University.
Wu-Ftpd allows for clients to organize files for ftp actions based
on "file globbing" patterns. File globbing is also used by various
shells. The implementation of file globbing included in Wu-Ftpd
contains a heap corruption vulnerability that may allow for an
attacker to execute arbitrary code on a server remotely.
During the processing of a globbing pattern, the Wu-Ftpd implementation
creates a list of the files that match. The memory where this data is
stored is on the heap, allocated using malloc(). The globbing function
simply returns a pointer to the list. It is up to the calling
functions to free the allocated memory.
If an error occurs processing the pattern, memory will not be
allocated and a variable indicating this should be set. The
calling functions must check the value of this variable before
attempting to use the globbed filenames (and later freeing the
memory).
When certain globbing patterns are processed, the globbing function
does not set this variable when an error occurs. As a result of
this, Wu-Ftpd may eventually attempt to free uninitialized memory.
There are a number of possibly exploitable conditions.
If this region of memory contained user-controllable data before the
free call, it may be possible to have an arbitrary word in memory
overwritten with an arbitrary value. This can lead to execution of
arbitrary code if function pointers or return addresses are
overwritten.
If anonymous FTP is not enabled, valid user credentials are
required to exploit this vulnerability.
This vulnerability was initially scheduled for public release on
December 3, 2001. However, Red Hat has made details public as of
November 27, 2001. As a result, we are forced to warn other users
of the vulnerable product, so that they may take appropriate
actions.
Attack Scenarios:
To exploit this vulnerability, an attacker must have either
valid credentials required to log in as an FTP user, or anonymous
access must be enabled.
The attacker must ensure that a maliciously constructed malloc header
containing the target address and it's replacement value are in the
right location in the uninitialized part of the heap. The attacker
must also place shellcode in server process memory.
The attacker must send an FTP command containing a specific
globbing pattern that does not set the error variable.
When the server attempts to free the memory used to store the
globbed filenames, the target word in memory will be overwritten.
If an attacker overwrites a function pointer or return address
with a pointer to the shellcode, it may be executed by the server
process.
Exploits:
The following (from the CORE advisory) demonstrates the existence
of this vulnerability:
ftp> open localhost
Connected to localhost (127.0.0.1).
220 sasha FTP server (Version wu-2.6.1-18) ready.
Name (localhost:root): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls ~{
227 Entering Passive Mode (127,0,0,1,241,205)
421 Service not available, remote server has closed connection
1405 ? S 0:00 ftpd: accepting connections on port 21
7611 tty3 S 1:29 gdb /usr/sbin/wu.ftpd
26256 ? S 0:00 ftpd:
sasha:anonymous/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
26265 tty3 R 0:00 bash -c ps ax | grep ftpd
(gdb) at 26256
Attaching to program: /usr/sbin/wu.ftpd, process 26256
Symbols already loaded for /lib/libcrypt.so.1
Symbols already loaded for /lib/libnsl.so.1
Symbols already loaded for /lib/libresolv.so.2
Symbols already loaded for /lib/libpam.so.0
Symbols already loaded for /lib/libdl.so.2
Symbols already loaded for /lib/i686/libc.so.6
Symbols already loaded for /lib/ld-linux.so.2
Symbols already loaded for /lib/libnss_files.so.2
Symbols already loaded for /lib/libnss_nisplus.so.2
Symbols already loaded for /lib/libnss_nis.so.2
0x40165544 in __libc_read () from /lib/i686/libc.so.6
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
__libc_free (mem=0x61616161) at malloc.c:3136
3136 in malloc.c
Currently the SecurityFocus staff are not aware of any exploits for
this issue. If you feel we are in error or are aware of more recent
information, please mail us at: vuldb@securityfocus.com
<mailto:vuldb@securityfocus.com>
Mitigating Strategies:
This vulnerability is remotely exploitable. Restricting access to
the network port, (TCP port 21 is standard for FTP), will block
clients from unauthorized networks.
With some operating systems, anonymous FTP is enabled by default.
Anonymous FTP is often in use on public FTP sites, most often
software repositories. It is basically a guest account with access
to download files from within a restricted environment. This
vulnerability is exploitable by clients logged in through anonymous
FTP. Anonymous FTP should be disabled immediately until fixes are
available, as it would allow any host on the Internet who can
connect to the service to exploit this vulnerability. It is a good
idea to disable it normally unless it is absolutely necessary (in
which case the FTP server should be on a dedicated, isolated host).
Stack and other memory protection schemes may complicate
exploitability, and/or prevent commonly available exploits from
working. This should not be relied upon for security. This
vulnerability involves 'poking' words in memory. This means that there
are many different ways that it may be exploited. Making the stack
non-executable or checking the integrity of stack variables may not be
enough to prevent all possibile methods of exploitation.
It is advised to disable the service and use alternatives until
fixes are available.
Solutions:
Vendor notified on Nov 14, 2001.
Fixes will be available from the author as well as from vendors who
ship products that include Wu-Ftpd as core or optional components.
This vulnerability was initially scheduled for public release on
December 3, 2001. Red Hat pre-emptively released an advisory on
November 27, 2001. As a result, other vendors may not yet have
fixes available.
This record will be updated as fixes from various vendors become
available.
For Washington University wu-ftpd 2.6.1:
Red Hat RPM 6.2 alpha wu-ftpd-2.6.1-0.6x.21.alpha.rpm
ftp://updates.redhat.com/6.2/en/os/alpha/wu-ftpd-2.6.1-0.6x.21.alpha.rpm
Red Hat RPM 6.2 sparc wu-ftpd-2.6.1-0.6x.21.sparc.rpm
ftp://updates.redhat.com/6.2/en/os/sparc/wu-ftpd-2.6.1-0.6x.21.sparc.rpm
Red Hat RPM 7.0 alpha wu-ftpd-2.6.1-16.7x.1.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha.rpm
Red Hat RPM 7.0 i386 wu-ftpd-2.6.1-16.7x.1.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rpm
Red Hat RPM 7.1 alpha wu-ftpd-2.6.1-16.7x.1.alpha.rpm
ftp://updates.redhat.com/7.1/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha.rpm
Red Hat RPM 7.1 i386 wu-ftpd-2.6.1-16.7x.1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rpm
Red Hat RPM 7.1 ia64 wu-ftpd-2.6.1-16.7x.1.ia64.rpm
ftp://updates.redhat.com/7.1/en/os/ia64/wu-ftpd-2.6.1-16.7x.1.ia64.rpm
Red Hat RPM 7.2 i386 wu-ftpd-2.6.1-20.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/wu-ftpd-2.6.1-20.i386.rpm
Red Hat RPM 6.2 i386 wu-ftpd-2.6.1-0.6x.21.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/wu-ftpd-2.6.1-0.6x.21.i386.rpm
Credit:
Condition first reported by Matt Power, deemed non-exploitable.
Rediscovered and exploitability later confirmed by Luciano
Notarfrancesco and Juan Pablo Martinez Kuhn from Core Security
Technologies, Buenos Aires, Argentina.
References:
advisory:
RedHat RHSA-2001:157-06: Updated wu-ftpd packages are available
http://www.securityfocus.com/advisories/3680
web page:
CORE SDI Homepage (CORE)
http://www.core-sdi.com
web page:
Wu-Ftpd Homepage (Washington University)
http://www.wu-ftpd.org
ChangeLog:
Nov 26, 2001: Initial analysis.
---------------------------------------------------------------------------
HOW TO INTERPRET THIS ALERT
BUGTRAQ ID: This is a unique identifier assigned to the
vulnerability by SecurityFocus.com.
CVE ID: This is a unique identifier assigned to the
vulnerability by the CVE.
Published: The date the vulnerability was first made
public.
Updated: The date the information was last updated.
Remote: Whether this is a remotely exploitable
vulnerability.
Local: Whether this is a locally exploitable
vulnerability.
Credibility: Describes how credible the information about the
vulnerability is. Possible values are:
Conflicting Reports: The are multiple
conflicting about the existance of the
vulnerability.
Single Source: There is a single non-reliable
source reporting the existence of the
vulnerability.
Reliable Source: There is a single reliable
source reporting the existence of the
vulnerability.
Conflicting Details: There is consensus on the
existence of the vulnerability but not it's
details.
Multiple Sources: There is consensus on the
existence and details of the vulnerability.
Vendor Confirmed: The vendor has
confirmed the vulnerability.
Class: The class of vulnerability. Possible values are:
Boundary Condition Error, Access Validation Error,
Origin Validation Error, Input Valiadtion Error,
Failure to Handle Exceptional Conditions, Race
Condition Error, Serialization Error, Atomicity
Error, Environment Error, and Configuration Error.
Ease: Rates how easiliy the vulnerability can be
exploited. Possible values are: No Exploit
Available, Exploit Available, and No Exploit
Required.
Impact: Rates the impact of the vulnerability. It's range
is 1 through 10.
Severity: Rates the severity of the vulnerability. It's range
is 1 through 10. It's computed from the impact
rating and remote flag. Remote vulnerabiliteis with
a high impact rating receive a high severity
rating. Local vulnerabilities with a low impact
rating receive a low severity rating.
Urgency: Rates how quickly you should take action to fix or
mitigate the vulnerability. It's range is 1 through
10. It's computed from the severity rating, the
ease rating, and the credibility rating. High
severity vulnerabilities with a high ease rating,
and a high confidence rating have a higher urgency
rating. Low severity vulnerabilities with a low
ease rating, and a low confidence rating have a
lower urgency rating.
Last Change: The last change made to the vulnerability
information.
Vulnerable Systems: The list of vulnerable systems. A '+' preceding a
system name indicates that one of the system
components is vulnerable vulnerable. For example,
Windows 98 ships with Internet Explorer. So if a
vulnerability is found in IE you may see something
like: Microsoft Internet Explorer + Microsoft
Windows 98
Non-Vulnerable Systems: The list of non-vulnerable systems.
Summary: A concise summary of the vulnerability.
Impact: The impact of the vulnerability.
Technical Description: The in-depth description of the vulnerability.
Attack Scenarios: Ways an attacker may make use of the
vulnerability.
Exploits: Exploit intructions or programs.
Mitigating Strategies: Ways to mitigate the vulnerability.
Solutions: Solutions to the vulnerability.
Credit: Information about who disclosed the
vulnerability.
References: Sources of information on the vulnerability.
Related Resources: Resources that might be of additional value.
ChangeLog: History of changes to the vulnerability
record.
---------------------------------------------------------------------------
Copyright 2001 SecurityFocus.com
----------
SecurityFocus - the leading provider of Security Intelligence Services for
business.
Visit our website at www.securityfocus.com
(7590816) /Dave Ahmad <da@securityfocus.com>/(Ombruten)
Kommentar i text 7590970 av kjell-e (Kjell Enblom)
Kommentar i text 7592536 av script0r <script0r@axenet.org>
7592536 2001-11-28 18:36 -0500 /47 rader/ script0r <script0r@axenet.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-11-29 01:56 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <19923>
Kommentar till text 7590816 av Dave Ahmad <da@securityfocus.com>
Ärende: Re: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability
------------------------------------------------------------
From: "script0r" <script0r@axenet.org>
To: <bugtraq@securityfocus.com>
Message-ID: <35684.24.51.95.122.1006990579.squirrel@mail.axenet.org>
>
> --------------------------------------------------------------------------
-
> Security Alert
>
> Subject: Wu-Ftpd File Globbing Heap Corruption Vulnerability
> BUGTRAQ ID: 3581 CVE ID: CVE-MAP-NOMATCH
> Published: Nov 27, 2001 Updated: Nov 28, 2001
> 01:12:56
>
> Remote: Yes Local: No
> Availability: Always Authentication: Not Required
> Credibility: Vendor Confirmed Ease: No Exploit
> Available Class: Failure to Handle Exceptional Conditions
>
> Impact: 10.0 Severity: 10.0 Urgency: 8.2
>
> Last Change: Initial analysis.
> --------------------------------------------------------------------------
I am running the a linux port of the bsd ftpd and it might be
vulnerable to a similar attack,
ftp localhost
Connected to localhost.
220 playlandFTP server (Version 6.5/OpenBSD, linux port 0.3.3) ready.
Name (localhost:user): ftp
331 Guest login ok, type your name as password.
Password:
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls ~{
200 PORT command successful.
421 Service not available, remote server has closed connection
in inetd I find an error stating that the ftpd process has died
unexpectedly
Nov 28 14:21:28 playland inetd[82]: pid 16341: exit signal 11
(7592536) /script0r <script0r@axenet.org>/(Ombruten)
Kommentar i text 7592576 av Andre Oppermann <oppermann@pipeline.ch>
Kommentar i text 7592839 av Todd C. Miller <Todd.Miller@courtesan.com>
7592576 2001-11-29 01:00 +0100 /58 rader/ Andre Oppermann <oppermann@pipeline.ch>
Sänt av: joel@lysator.liu.se
Importerad: 2001-11-29 02:10 av Brevbäraren
Extern mottagare: script0r <script0r@axenet.org>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <19926>
Kommentar till text 7592536 av script0r <script0r@axenet.org>
Ärende: Re: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption
------------------------------------------------------------
Vulnerability
From: Andre Oppermann <oppermann@pipeline.ch>
To: script0r <script0r@axenet.org>
Cc: bugtraq@securityfocus.com
Message-ID: <3C057A82.C2258A6E@pipeline.ch>
The FreeBSD ftpd on at least FreeBSD 4.4 and FreeBSD 5.0-current does
not crash but simply provides a normal 'ls' output even though
script0r sees his Linux port of the (Open)BSD ftpd crashing.
--
Andre
script0r wrote:
>
> >
> > --------------------------------------------------------------------------
> -
> > Security Alert
> >
> > Subject: Wu-Ftpd File Globbing Heap Corruption Vulnerability
> > BUGTRAQ ID: 3581 CVE ID: CVE-MAP-NOMATCH
> > Published: Nov 27, 2001 Updated: Nov 28, 2001
> > 01:12:56
> >
> > Remote: Yes Local: No
> > Availability: Always Authentication: Not Required
> > Credibility: Vendor Confirmed Ease: No Exploit
> > Available Class: Failure to Handle Exceptional Conditions
> >
> > Impact: 10.0 Severity: 10.0 Urgency: 8.2
> >
> > Last Change: Initial analysis.
> > --------------------------------------------------------------------------
>
> I am running the a linux port of the bsd ftpd and it might be vulnerable to
> a similar attack,
>
> ftp localhost
> Connected to localhost.
> 220 playlandFTP server (Version 6.5/OpenBSD, linux port 0.3.3) ready.
> Name (localhost:user): ftp
> 331 Guest login ok, type your name as password.
> Password:
> 230 Guest login ok, access restrictions apply.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls ~{
> 200 PORT command successful.
> 421 Service not available, remote server has closed connection
>
> in inetd I find an error stating that the ftpd process has died unexpectedly
>
> Nov 28 14:21:28 playland inetd[82]: pid 16341: exit signal 11
(7592576) /Andre Oppermann <oppermann@pipeline.ch>/(Ombruten)
Kommentar i text 7592843 av Brad <brad@comstyle.com>
7592843 2001-11-28 20:15 -0500 /64 rader/ Brad <brad@comstyle.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-11-29 05:04 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <19930>
Kommentar till text 7592576 av Andre Oppermann <oppermann@pipeline.ch>
Ärende: Re: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption
------------------------------------------------------------
Vulnerability From: Brad <brad@comstyle.com> To:
bugtraq@securityfocus.com Message-ID:
<Pine.BSO.4.42.0111282012180.14075-100000@ss5.comstyle.com>
OpenBSD's ftpd exhibits the same behavior, 2.9-stable, 3.0-stable and
-current.
// Brad
brad@comstyle.com
brad@openbsd.org
>The FreeBSD ftpd on at least FreeBSD 4.4 and FreeBSD 5.0-current does
>not crash but simply provides a normal 'ls' output even though script0r
>sees his Linux port of the (Open)BSD ftpd crashing.
>
>--
>Andre
>
>
>script0r wrote:
>>
>> >
>> > --------------------------------------------------------------------------
>> -
>> > Security Alert
>> >
>> > Subject: Wu-Ftpd File Globbing Heap Corruption Vulnerability
>> > BUGTRAQ ID: 3581 CVE ID: CVE-MAP-NOMATCH
>> > Published: Nov 27, 2001 Updated: Nov 28, 2001
>> > 01:12:56
>> >
>> > Remote: Yes Local: No
>> > Availability: Always Authentication: Not Required
>> > Credibility: Vendor Confirmed Ease: No Exploit
>> > Available Class: Failure to Handle Exceptional Conditions
>> >
>> > Impact: 10.0 Severity: 10.0 Urgency: 8.2
>> >
>> > Last Change: Initial analysis.
>> > --------------------------------------------------------------------------
>>
>> I am running the a linux port of the bsd ftpd and it might be vulnerable to
>> a similar attack,
>>
>> ftp localhost
>> Connected to localhost.
>> 220 playlandFTP server (Version 6.5/OpenBSD, linux port 0.3.3) ready.
>> Name (localhost:user): ftp
>> 331 Guest login ok, type your name as password.
>> Password:
>> 230 Guest login ok, access restrictions apply.
>> Remote system type is UNIX.
>> Using binary mode to transfer files.
>> ftp> ls ~{
>> 200 PORT command successful.
>> 421 Service not available, remote server has closed connection
>>
>> in inetd I find an error stating that the ftpd process has died unexpectedly
>>
>> Nov 28 14:21:28 playland inetd[82]: pid 16341: exit signal 11
(7592843) /Brad <brad@comstyle.com>/------(Ombruten)
7592839 2001-11-28 20:18 -0700 /21 rader/ Todd C. Miller <Todd.Miller@courtesan.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-11-29 05:01 av Brevbäraren
Extern mottagare: script0r <script0r@axenet.org>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <19929>
Kommentar till text 7592536 av script0r <script0r@axenet.org>
Ärende: Re: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability
------------------------------------------------------------
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
To: "script0r" <script0r@axenet.org>
Cc: bugtraq@securityfocus.com
Message-ID: <200111290318.fAT3I77q013615@xerxes.courtesan.com>
In message <35684.24.51.95.122.1006990579.squirrel@mail.axenet.org>
so spake "script0r" (script0r):
> I am running the a linux port of the bsd ftpd and it might be vulnerable to
> a similar attack,
It depends entirely on your glob(3) implementation since unlike
wu-ftpd, any port of the OpenBSD ftpd that doesn't include a private
glob.c will just use the one in your own libc.
We fixed a bunch of potential glob(3) problems in OpenBSD's glob.c
a while ago (though there may be more lurking--that is nasty code!).
- todd
(7592839) /Todd C. Miller <Todd.Miller@courtesan.com>/
7592585 2001-11-28 18:59 -0500 /88 rader/ Mark Canter <marcus@doutlets.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-11-29 02:17 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <19927>
Ärende: WU-FTPD 2.6.1 diff glob.c patch
------------------------------------------------------------
From: Mark Canter <marcus@doutlets.com>
To: <bugtraq@securityfocus.com>
Message-ID: <010111281858350.7190-100000@homer.doutlets.com>
Generic patch against globc.c for:
Subject: Wu-Ftpd File Globbing Heap Corruption Vulnerability
-- SNIP --
--- glob.c.orig Sat Jul 1 14:17:39 2000
+++ glob.c Wed Nov 28 00:43:38 2001
@@ -298,7 +298,7 @@
for (lm = restbuf; *p != '{'; *lm++ = *p++)
continue;
- for (pe = ++p; *pe; pe++)
+ for (pe = ++p; *pe; pe++) {
switch (*pe) {
case '{':
@@ -314,11 +314,19 @@
case '[':
for (pe++; *pe && *pe != ']'; pe++)
continue;
+ if (!*pe) {
+ globerr = "Missing ]";
+ return (0);
+ }
continue;
}
+ }
pend:
- brclev = 0;
- for (pl = pm = p; pm <= pe; pm++)
+ if (brclev || !*pe) {
+ globerr = "Missing }";
+ return (0);
+ }
+ for (pl = pm = p; pm <= pe; pm++) {
switch (*pm & (QUOTE | TRIM)) {
case '{':
@@ -352,19 +360,18 @@
return (1);
sort();
pl = pm + 1;
- if (brclev)
- return (0);
continue;
case '[':
for (pm++; *pm && *pm != ']'; pm++)
continue;
- if (!*pm)
- pm--;
+ if (!*pm) {
+ globerr = "Missing ]";
+ return (0);
+ }
continue;
}
- if (brclev)
- goto doit;
+ }
return (0);
}
@@ -416,11 +423,10 @@
else if (scc == (lc = cc))
ok++;
}
- if (cc == 0)
- if (ok)
- p--;
- else
- return 0;
+ if (cc == 0) {
+ globerr = "Missing ]";
+ return (0);
+ }
continue;
case '*':
(7592585) /Mark Canter <marcus@doutlets.com>/-------
7592817 2001-11-28 23:01 -0300 /608 rader/ Iván_Arce <core.lists.bugtraq@core-sdi.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-11-29 04:43 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Extern kopiemottagare: core.lists.vulnwatch@core-sdi.com
Extern kopiemottagare: iarce@corest.com
Mottagare: Bugtraq (import) <19928>
Ärende: CORE-20011001: Wu-FTP glob heap corruption vulnerability
------------------------------------------------------------
From: Iván_Arce <core.lists.bugtraq@core-sdi.com>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Cc: <core.lists.vulnwatch@core-sdi.com>, <iarce@corest.com>
Message-ID: <095301c17879$b4b521b0$2e58a8c0@ffornicario>
CORE Security Technologies
http://www.corest.com
Vulnerability Report For WU-FTPD Server
Date Published: 2001-11-28
Last Update: 2001-11-28
Advisory ID: CORE-20011001
Bugtraq ID: 3581
CVE CAN: None currently assigned
Title: WU-FTPD Improper Ftpglob Error Handling Vulnerability
Class: Failure to handle exceptional conditions
Remotely Exploitable: Yes
Locally Exploitable: Yes
Release Mode: FORCED RELEASE
Vulnerability Description:
The Washington University FTP daemon (WU-FTPD) is a highly modified
and significantly complex version of FTPD that provides some extra
features: custom logging, limited remote command support, and other
enhacements to the standard BSD version of FTPD.
A problem was found in all versions of Wu-FTPD included by default in
all major Linux distributions. Other platforms that ship wu-ftpd and
FTP server programs derived from it are affected.
By exploiting this problem, any user who is able to log into a
vulnerable version of the WU-FTPD server may be able to execute
arbitrary code remotely with the privileges of the server process
(usually root) which can lead to complete system compromise.
The problem is due to a combination of bugs, one located within the
function responsible for the globbing feature, which fails to
properly signal an error to its caller under certain conditions. The
glob function does not properly handle the string "~{" as an illegal
parameter. The other bug is at the caller, a command parser
function, that incorrectly handles the error status returned by the
glob function allowing the corruption of the process memory space.
For those interested in a technical description and proof of concept
follow towards the end of this advisory.
Vulnerable Packages:
WU-FTPD
All versions of wu-ftpd including and up to 2.6.1 are vulnerable.
Version 2.7.0 snapshots are also vulnerable. Note that 2.7.0 is has
not been released officially and is currently a testing version.
Washington University wu-ftpd 2.6.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1
+ Cobalt Qube 1.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ MandrakeSoft Corporate Server 1.0.1
+ MandrakeSoft Linux Mandrake 8.1
+ MandrakeSoft Linux Mandrake 8.0 ppc
+ MandrakeSoft Linux Mandrake 8.0
+ MandrakeSoft Linux Mandrake 7.2
+ MandrakeSoft Linux Mandrake 7.1
+ MandrakeSoft Linux Mandrake 7.0
+ MandrakeSoft Linux Mandrake 6.1
+ MandrakeSoft Linux Mandrake 6.0
+ RedHat Linux 7.2 noarch
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i686
+ RedHat Linux 7.2 i586
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 athlon
+ RedHat Linux 7.2 alpha
+ RedHat Linux 7.1 noarch
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i686
+ RedHat Linux 7.1 i586
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 sparc
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ TurboLinux TL Workstation 6.1
+ TurboLinux Turbo Linux 6.0.5
+ TurboLinux Turbo Linux 6.0.4
+ TurboLinux Turbo Linux 6.0.3
+ TurboLinux Turbo Linux 6.0.2
+ TurboLinux Turbo Linux 6.0.1
+ TurboLinux Turbo Linux 6.0
+ Wirex Immunix OS 7.0-Beta
+ Wirex Immunix OS 7.0
Washington University wu-ftpd 2.6.0
+ Cobalt Qube 1.0
+ Conectiva Linux 5.1
+ Conectiva Linux 5.0
+ Conectiva Linux 4.2
+ Conectiva Linux 4.1
+ Conectiva Linux 4.0es
+ Conectiva Linux 4.0
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ RedHat Linux 6.1 sparc
+ RedHat Linux 6.1 i386
+ RedHat Linux 6.1 alpha
+ RedHat Linux 6.0 sparc
+ RedHat Linux 6.0 i386
+ RedHat Linux 6.0 alpha
+ RedHat Linux 5.2 sparc
+ RedHat Linux 5.2 i386
+ RedHat Linux 5.2 alpha
+ S.u.S.E. Linux 6.4ppc
+ S.u.S.E. Linux 6.4alpha
+ S.u.S.E. Linux 6.4
+ S.u.S.E. Linux 6.3 ppc
+ S.u.S.E. Linux 6.3 alpha
+ S.u.S.E. Linux 6.3
+ S.u.S.E. Linux 6.2
+ S.u.S.E. Linux 6.1 alpha
+ S.u.S.E. Linux 6.1
+ TurboLinux Turbo Linux 4.0
+ Wirex Immunix OS 6.2
Washington University wu-ftpd 2.5.0
+ Caldera eDesktop 2.4
+ Caldera eServer 2.3.1
+ Caldera eServer 2.3
+ Caldera OpenLinux 2.4
+ Caldera OpenLinux Desktop 2.3
+ RedHat Linux 6.0 sparc
+ RedHat Linux 6.0 i386
+ RedHat Linux 6.0 alpha
Sun Microsystems Inc.
The Sun Cobalt Qube1 is vulnerable.
Solaris is NOT vulnerable to this problem.
As reported by Brent Paulson from Sun regarding
Solaris ISP server that ships with a wu-ftpd derived server:
"The Sun engineering group for the SISP in.ftpd product
has verified that we are not vulnerable to the issue
described in the described vulnerability."
Hewlett Packard
As reported by Dan Grove from HP:
" HP-UX is immune to this issue. It was fixed
in conjunction with the last "globbing" issue
announced in CERT Advisory CA-2001-07, released
April 10, 2001. The lab did a complete check/scan
of the globbing software, and fixed this issue then
as well. Customers should apply the patches listed
in HP Security Bulletin #162 released July 19,2001:
HPSBUX0107-162 Security Vulnerability in ftpd and ftp"
Solution/Vendor Information/Workaround:
Wu-FTPD
The wu-ftpd development team has devised a patch
that fixes the problem and its already applied to
the current wu-ftpd source tree. Current 2.7.0
snapshots are NOT vulnerable, however 2.7.0 is
not an official wu-ftpd release and should be thought
as a version for testing.
The team will provide patches for the vulnerable
WU-ftpd releases shortly.
RedHat
RedHat Linux had released and advisory and and
SRPMs to address the problem, they can be obtained
from
http://www.redhat.com/support/errata/RHSA-2001-157.html
Conectiva Linux
Fixed packages will be made available in the next days
for all supported Conectiva Linux distributions at
ftp://atualizacoes.conectiva.com.br
Caldera Systems
OpenLinux 2.3
Vulnerable.
Fixed packages were released on 2001/11/28:
ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/068/
OpenLinux eServer 2.3.1
Vulnerable.
Fixed packages were released on 2001/11/28:
ftp://ftp.caldera.com/pub/updates/eServer/2.3/064/
OpenLinux eDesktop 2.4
Vulnerable.
Fixed packages were released on 2001/11/28:
ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/058/
OpenLinux Workstation 3.1
Not vulnerable. (Does not include wu-ftpd)
OpenLinux Server 3.1
Vulnerable.
Fixed packages were released on 2001/11/28:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/020/
Sun Microsystems
"The only Sun Cobalt Server Appliance that is vulnerable to this
exploit is the Qube1. The Qube1 is no longer a supported appliance,
but we do understand the need of having updates available.
The following RPM is not officially supported by Sun Cobalt,
but offers legacy customers the ability to maintain a limited
level of security."
Qube1:
ftp://ftp.cobaltnet.com/pub/unsupported/qube1/rpms/wu-ftpd-2.6.1-C1.NOPAM.mi
ps.rpm
ftp://ftp.cobaltnet.com/pub/unsupported/qube1/srpms/wu-ftpd-2.6.1-C1.NOPAM.s
rc.rpm
SuSE Linux
SuSE have the set of patches to fix the vulnerability.
Updated packages that fix the vulnerability are available
from the following URLs:
i386 Intel Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/wuftpd-2.6.0-344.i386.rpm
d1b549b8c2d91d66a8b35fe17a1943b3
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/wuftpd-2.6.0-344.src.rpm
9ef0e6ac850499dc0150939c62bc146f
SuSE-7.2
ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/wuftpd-2.6.0-344.i386.rpm
4583443a993107b26529331fb1e6254d
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/wuftpd-2.6.0-344.src.rpm
aaee0343670feae70ccc9217a8e22211
SuSE-7.1
ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2/wuftpd-2.6.0-346.i386.rpm
347a030a85cb5fcbe32d3d79d382e19e
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/wuftpd-2.6.0-346.src.rpm
aa3e53641f6ce0263196e6f1cb0447c3
SuSE-7.0
ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/wuftpd-2.6.0-344.i386.rpm
e34eec18ecc10f187f6aa1aa3b24b75b
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/wuftpd-2.6.0-344.src.rpm
fafc8c2bbd68dd5ca3d04228433c359a
SuSE-6.4
ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/wuftpd-2.6.0-344.i386.rpm
2354abe95b056762c7f6584449291ff2
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/wuftpd-2.6.0-344.src.rpm
507b8d484b13737c9d2b6a68fda0cc26
SuSE-6.3
ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/wuftpd-2.6.0-347.i386.rpm
9851ad02e656bba8b5e02ed2ddb46845
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/wuftpd-2.6.0-347.src.rpm
5d7c4b6824836ca28b228cc5dcfc4fd6
Sparc Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n2/wuftpd-2.6.0-240.sparc.rpm
2d19e4ead17396a1e28fca8745f9629d
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/wuftpd-2.6.0-240.src.rpm
bdb0b5ddd72f8563db3c8e444a0df7f5
SuSE-7.1
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/n2/wuftpd-2.6.0-242.sparc.rpm
f6b04f284bece6bf3700facccc015ffe
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/wuftpd-2.6.0-242.src.rpm
1660547ac9a5a3b32a4070d69803cf18
SuSE-7.0
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/wuftpd-2.6.0-241.sparc.rpm
1bd905b095b9a4bb354fc190b6e54a01
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/wuftpd-2.6.0-241.src.rpm
597263eb7d0fbbf242d519d3c126a441
AXP Alpha Platform:
SuSE-7.1
ftp://ftp.suse.com/pub/suse/axp/update/7.1/n2/wuftpd-2.6.0-252.alpha.rpm
e608bfd2cc9e511c6eb6932c33c68789
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/wuftpd-2.6.0-252.src.rpm
34915af1ca79b27bad8bc2fd3a5cab05
SuSE-7.0
ftp://ftp.suse.com/pub/suse/axp/update/7.0/n1/wuftpd-2.6.0-251.alpha.rpm
86a7d8f60d76a053873bcc13860b0bbb
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/wuftpd-2.6.0-251.src.rpm
9674f9f1630b3107ac22d275705da76e
SuSE-6.4
ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/wuftpd-2.6.0-251.alpha.rpm
2501444a1e4241e8f6f4cdcc6fd133b0
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/wuftpd-2.6.0-251.src.rpm
34812d943900bdb902ad7edd40e1943f
SuSE-6.3
ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/wuftpd-2.6.0-250.alpha.rpm
429a49ef9d4d0865fbb443c212b8a8c7
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/wuftpd-2.6.0-250.src.rpm
76467dae0f460677ba80ec907eefca28
PPC Power PC Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/wuftpd-2.6.0-277.ppc.rpm
a381269b3e2fc43fda59e4d08aef57ae
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/wuftpd-2.6.0-277.src.rpm
7cacb696a88e57a843402a796212aee6
SuSE-7.1
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n2/wuftpd-2.6.0-277.ppc.rpm
bfc39be2c09323d96f974fdd0c73fda1
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/wuftpd-2.6.0-277.src.rpm
e2681b2ed4801ce14b5dfb926480ac51
SuSE-7.0
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n1/wuftpd-2.6.0-279.ppc.rpm
19f989e637fd9b6fa652f8a4014bb7b1
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/wuftpd-2.6.0-279.src.rpm
76c493a915691c51a2481f0925e8ce39
SuSE-6.4
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/wuftpd-2.6.0-278.ppc.rpm
ad29cf172bbd03a5e1f301cf6b9404e5
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/wuftpd-2.6.0-278.src.rpm
82338702692eba599d8c3d242aff3d1a
MandrakeSoft
MandrakeSoft has developed a patch for the problem, fixed packages
will be made available shortly.
Turbo Linux
Contact Turbo-linux for patch information and fixed packages.
http://www.turbolinux.com/security/
Debian Linux
Debian has developed a patch for the problem, fixed packages
will be made available shortly.
Wirex Inmunix
WireX has developed a patch for the problem, fixed packages
will be made available shortly.
Workaround:
To prevent exploitation of this bug it is advised to disable
anonymous FTP access until patches are applied. Notice that legit
users with FTP accounts can still exploit the problem even if
anonymous access is disabled. If legit ftp accoutn posse a security
risk, FTP service should be disabled completly until fixed packages
are deployed.
Vendors notified on: November 14th, 2001
Credits:
This vulnerability was initially reported to the vuln-dev mailing
list at SecurityFocus.com by Matt Power from Bindview Corp. on April
30th, 2001. At that moment, it was thought as a not exploitable bug
and no further research was conducted.
The bug was re-discovered independantly by Luciano Notarfrancesco and
Juan Pablo Martinez Kuhn from Core Security Technologies and confirmed to
be
exploitable on Nov. 1st, 2001
This advisory was drafted with the aid of the Vulnerability Help
team at SecurityFocus.com.
We would like to thank the VulnHelp Team, CERT,the WU-ftpd
development
team and the Linux vendors for their efforts trying to coordinate the
release
of information and availability of fixes.
Technical Description - Exploit/Concept Code:
Tests were performed using wu-ftp server versions 2.6.1 and 2.7.0
snapshots
WU-FTPD server features globbing capabilities, allowing a user to
search pathnames matching patterns according to the rules used by
the shell. The feature does not use the glibc implementation of the
glob() function, instead it implements its own in the the glob.c file
This implementation fails to set the globerr variable under certain
circunstances, bypassing error checking after the call, and trying
to free an uninitialized memory address. This memory address is
located in the process heap and can be manipulated by the user,
issuing especially crafted commands beforehand to the server. This
issue was found twice in the source code.
The handling of the globbing metacharacters is done by the ftpglob()
function included in the glob.c file. The function is called for
example from ftpcmd.y line 1277 and line 1303 while processing
pathnames for restricted and non-restricted users beggining with a
'/' or a '~' character respectively.
if (restricted_user && logged_in && $1 && strncmp($1, "/", 1) == 0){
[...]
globlist = ftpglob(t);
[...]
}
else if (logged_in && $1 && strncmp($1, "~", 1) == 0) {
char **globlist;
globlist = ftpglob($1);
[...]
}
After that, the variable globerr is checked to handle any possible
error that could had happened during the globbing process, setting
this variable is responsability of the ftpglob() function.
Under certain circunstances not properly handled by the function,
globerr is not set even though an error condition is present
Being not initialized explicitly, globlist contains what was in the
heap
before, which can be properly set with specially crafted requests to
the server.
As the globerr was not set properly, the function attempts to free
the provided pointer in ftpcmd.y line 1282 and line 1288.
if (globerr) {
reply(550, globerr);
$$ = NULL;
if (globlist) {
blkfree(globlist);
free((char *) globlist);
}
}
else if (globlist) {
$$ = *globlist;
blkfree(&globlist[1]);
free((char *) globlist);
}
As shown, during the processing of a globbing pattern, the Wu-Ftpd
implementation creates a list of the files that match. The memory
where this data is stored is on the heap, allocated using malloc().
The globbing function simply returns a pointer to the list. It is
up to the calling functions to free the allocated memory.
If an error occurs processing the pattern, memory will not be
allocated and a variable indicating this should be set. The calling
functions must check the value of this variable before attempting to
use the globbed filenames (and later freeing the memory).
Under certain circumstances, the globbing function does not set this
variable
when an error occurs. As a result of this, Wu-Ftpd will eventually attempt
to
free uninitialized memory.
If this region of memory contained user-controllable data before the
free
call, it is possible to have an arbitrary word in memory overwritten with
an
arbitrary value. This can lead to execution of arbitrary code if function
pointers or return addresses are overwritten.
Details of hwo to exploit this type of problems are in the
public domain and can be found in Phrack Magazine #57 article 9:
http://www.phrack.org/show.php?p=57&a=9
Unsuccessful explotation of the problem does not lead to denial of
service attacks as the ftp server continues normal execution, only
the thread handling the request fails, helping the attacker to
success.
The following excerpt is a sample verification of the existence of
the problem:
ftp> open localhost
Connected to localhost (127.0.0.1).
220 sasha FTP server (Version wu-2.6.1-18) ready.
Name (localhost:root): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls ~{
227 Entering Passive Mode (127,0,0,1,241,205)
421 Service not available, remote server has closed connection
1405 ? S 0:00 ftpd: accepting connections on port 21
7611 tty3 S 1:29 gdb /usr/sbin/wu.ftpd
26256 ? S 0:00 ftpd:
sasha:anonymous/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
26265 tty3 R 0:00 bash -c ps ax | grep ftpd
(gdb) at 26256
Attaching to program: /usr/sbin/wu.ftpd, process 26256
Symbols already loaded for /lib/libcrypt.so.1
Symbols already loaded for /lib/libnsl.so.1
Symbols already loaded for /lib/libresolv.so.2
Symbols already loaded for /lib/libpam.so.0
Symbols already loaded for /lib/libdl.so.2
Symbols already loaded for /lib/i686/libc.so.6
Symbols already loaded for /lib/ld-linux.so.2
Symbols already loaded for /lib/libnss_files.so.2
Symbols already loaded for /lib/libnss_nisplus.so.2
Symbols already loaded for /lib/libnss_nis.so.2
0x40165544 in __libc_read () from /lib/i686/libc.so.6
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
__libc_free (mem=0x61616161) at malloc.c:3136
3136 in malloc.c
Note that the segmentation fault is generated because the program is
trying
to free() a user provided (and in this case invalid) memory chunk
referenced
by the value 0x61616161 (or its ASCII equivalent 'aaaa', sent earlier in
the
session as the user password), this should be enough hint on the existence
and exploitability of the bug
DISCLAIMER:
The contents of this advisory are copyright (c) 2001 CORE Security
Technologies and may be distributed freely provided that no fee is
charged for this distribution and proper credit is given.
$Id: WUFTPD_free_advisory.txt,v 1.5 2001/11/29 02:05:13 iarce Exp $
--- for a personal reply use: =?iso-8859-1?Q?Iv=E1n_Arce?=
<ivan.arce@corest.com>
(7592817) /Iván_Arce <core.lists.bugtraq@core-sdi.com>/(Ombruten)
7596873 2001-11-29 17:46 +0100 /38 rader/ Junius, Martin <Martin.Junius@t-systems.de>
Sänt av: joel@lysator.liu.se
Importerad: 2001-11-29 21:19 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Mottagare: Bugtraq (import) <19940>
Ärende: RE: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability
------------------------------------------------------------
From: "Junius, Martin" <Martin.Junius@t-systems.de>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <21380A50AB13D511A16200034723355C8F3176@G8PNU>
> I am running the a linux port of the bsd ftpd and it might be
> vulnerable to
> a similar attack,
>
> ftp localhost
> Connected to localhost.
> 220 playlandFTP server (Version 6.5/OpenBSD, linux port 0.3.3) ready.
> Name (localhost:user): ftp
> 331 Guest login ok, type your name as password.
> Password:
> 230 Guest login ok, access restrictions apply.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls ~{
> 200 PORT command successful.
> 421 Service not available, remote server has closed connection
>
> in inetd I find an error stating that the ftpd process has
> died unexpectedly
>
> Nov 28 14:21:28 playland inetd[82]: pid 16341: exit signal 11
I just did some tests with RedHat 7.2, glibc-2.2.4-19, and
ftpd-BSD-0.3.2. "ls ~{" makes the ftpd process die in glibc´s
glob(pattern="~{", ...) function with a SEGV. Beside that ftpd-BSD
uses globfree() to release the memory. So as long as glibc's glob()
is safe, ftpd-BSD *should* be safe against this exploit.
On RedHat 6.2, glibc-2.1.3-22, "ls ~{" simply returns "No such file
or directory".
Martin
(7596873) /Junius, Martin <Martin.Junius@t-systems.de>/(Ombruten)
Kommentar i text 7597022 av Craig Leikis <cleikis@superpages.com>
Kommentar i text 7597148 av Sandor W. Sklar <ssklar@stanford.edu>
Kommentar i text 7602777 av Fred Mobach <fred@mobach.nl>
7597758 2001-11-29 11:53 +0100 /44 rader/ GiulioMaria Fontana <fontana@datawell.it>
Sänt av: joel@lysator.liu.se
Importerad: 2001-11-30 00:25 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <19951>
Kommentar till text 7592536 av script0r <script0r@axenet.org>
Ärende: Re: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability
------------------------------------------------------------
From: GiulioMaria Fontana <fontana@datawell.it>
To: <bugtraq@securityfocus.com>
Message-ID: <20011129105345.83F4B42F70@psycho.sinapsi.net.com>
Il 00:36, giovedì 29 novembre 2001, script0r ha scritto:
> I am running the a linux port of the bsd ftpd and it might be vulnerable to
> a similar attack,
>
> ftp localhost
> Connected to localhost.
> 220 playlandFTP server (Version 6.5/OpenBSD, linux port 0.3.3) ready.
> Name (localhost:user): ftp
> 331 Guest login ok, type your name as password.
> Password:
> 230 Guest login ok, access restrictions apply.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls ~{
> 200 PORT command successful.
> 421 Service not available, remote server has closed connection
>
> in inetd I find an error stating that the ftpd process has died unexpectedly
>
> Nov 28 14:21:28 playland inetd[82]: pid 16341: exit signal 11
[psycho@psycho 11/29/01/gio psycho]> ftp urano
Connected to urano.xxx.xxx
220 urano.xxx.xxx FTP server (Version 6.5.5 VFTPD, based on Version
6.5/OpenBSD) ready.
Name (urano:psycho): gmfontana
331 Password required for gmfontana.
Password:
230 User gmfontana logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls ~{
200 PORT command successful.
421 Service not available, remote server has closed connection
ftp>
Giulio
(7597758) /GiulioMaria Fontana <fontana@datawell.it>/