RE: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability

From: Craig Leikis (cleikis@superpages.com)
Date: 11/29/01 

Date: Thu, 29 Nov 2001 14:29:00 -0600 (CST)
From: Craig Leikis <cleikis@superpages.com>
To: <BUGTRAQ@securityfocus.com>
Subject: RE: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability
Message-ID: <Pine.GSO.4.33.0111291425440.5059-100000@manx.superpages.com>

On Solaris 8, running wu-ftpd 2.6.1(1) ls "~{" didn't cause a problem, but
"dir ~{" did. It produced the following log message:

Nov 29 13:50:07 xxx ftpd[6132]: [ID 148269 daemon.error] exiting on signal
11

On Thu, 29 Nov 2001, Junius, Martin wrote:

> > I am running the a linux port of the bsd ftpd and it might be
> > vulnerable to
> > a similar attack,
> >
> > ftp localhost
> > Connected to localhost.
> > 220 playlandFTP server (Version 6.5/OpenBSD, linux port 0.3.3) ready.
> > Name (localhost:user): ftp
> > 331 Guest login ok, type your name as password.
> > Password:
> > 230 Guest login ok, access restrictions apply.
> > Remote system type is UNIX.
> > Using binary mode to transfer files.
> > ftp> ls ~{
> > 200 PORT command successful.
> > 421 Service not available, remote server has closed connection
> >
> > in inetd I find an error stating that the ftpd process has
> > died unexpectedly
> >
> > Nov 28 14:21:28 playland inetd[82]: pid 16341: exit signal 11
>
> I just did some tests with RedHat 7.2, glibc-2.2.4-19, and ftpd-BSD-0.3.2.
> "ls ~{" makes the ftpd process die in glibc´s glob(pattern="~{", ...)
> function with a SEGV. Beside that ftpd-BSD uses globfree() to release
> the memory. So as long as glibc's glob() is safe, ftpd-BSD *should*
> be safe against this exploit.
>
> On RedHat 6.2, glibc-2.1.3-22, "ls ~{" simply returns "No such file
> or directory".
>
> Martin
>

Relevant Pages