Re: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability

From: Patrick Cantwell (seamus@manhattan.insomnia.org)
Date: 12/05/01


Date: Wed, 5 Dec 2001 10:35:11 -0500 (EST)
From: Patrick Cantwell <seamus@manhattan.insomnia.org>
To: <bugtraq@securityfocus.com>

Yes, this must be library related. I have 2 machines here both running the
same version of the OpenBSD ftpd ported to linux. One's a slackware 7.1
box, one's a prerelease version of slackware 8 (installed the machine
before 8.0 made -release)..

on the older machine:

(Wed 10:25am) seamus@bofh ttyp0:~> ftp XXX
Connected to XXX.XXX.XXX.
220 XXX.XXX.XXX FTP server (Version 6.5/OpenBSD, linux port 0.3.2)
ready.
Name (XXX:seamus): seamus
331 Password required for seamus.
Password:
230- Linux 2.2.18.
230 User seamus logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al\ ~{
200 PORT command successful.
421 Service not available, remote server has closed connection.
ftp> quit
(Wed 10:25am) seamus@bofh ttyp0:~>

on the newer machine:

(Wed 10:25am) seamus@bofh ttyp0:~> ftp YYY
Connected to YYY.YYY.YYY.
220 YYY.YYY.YYY FTP server (Version 6.5/OpenBSD, linux port 0.3.2)
ready.
Name (YYY:seamus): seamus
331 Password required for seamus.
Password:
230-
230 User seamus logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al\ ~{
200 PORT command successful.
150 Opening ASCII mode data connection for '/bin/ls'.
ftpd: ~{: No such file or directory
226 Transfer complete.
ftp>

If anyone would like to know more details (exact version numbers of glibc,
etc..) please feel free to email me..

--
TheFloyd

On Thu, 29 Nov 2001, Flavio Veloso wrote:

> Date: Thu, 29 Nov 2001 09:32:33 -0200 (BRST) > From: Flavio Veloso <flaviovs@magnux.com> > To: script0r <script0r@axenet.org> > Cc: bugtraq@securityfocus.com > Subject: Re: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption > Vulnerability > > On Wed, 28 Nov 2001, script0r wrote: > > > > Subject: Wu-Ftpd File Globbing Heap Corruption Vulnerability > (...) > > I am running the a linux port of the bsd ftpd and it might be vulnerable to > > a similar attack, > > > > ftp localhost > > Connected to localhost. > > 220 playlandFTP server (Version 6.5/OpenBSD, linux port 0.3.3) ready. > > Name (localhost:user): ftp > > 331 Guest login ok, type your name as password. > > Password: > > 230 Guest login ok, access restrictions apply. > > Remote system type is UNIX. > > Using binary mode to transfer files. > > ftp> ls ~{ > > 200 PORT command successful. > > 421 Service not available, remote server has closed connection > > > > in inetd I find an error stating that the ftpd process has died unexpectedly > > > > Nov 28 14:21:28 playland inetd[82]: pid 16341: exit signal 11 > > This may not be related to the wu-ftpd bug. I was just experiencing > the same problem here, but further investigation showed up that it was > due a bug in the glibc implementation of glob(3) (not exploitable, > AFAICT). > > See http://sources.redhat.com/ml/bug-glibc/2001-11/msg00109.html for > details. > > -- > Flávio >



Relevant Pages

  • Re: ftp access
    ... > authorized" or something like that, and ftpd lets them in happily. ... 530 User tunicum access denied. ... ftp: Login failed. ... 150 Opening ASCII mode data connection for '/bin/ls'. ...
    (FreeBSD-Security)
  • Re: Not able to Ftp
    ... I was also looking at the missing challenge from the local security. ... Subject: Not able to Ftp ... 220 Connection will close if idle for more than 5 minutes. ... Search the archives at http://bama.ua.edu/archives/ibm-main.html ...
    (bit.listserv.ibm-main)
  • Re: Not able to Ftp
    ... Subject: Not able to Ftp ... I have executed the given command: the output are as below: ... connection. ... Search the archives at http://bama.ua.edu/archives/ibm-main.html ...
    (bit.listserv.ibm-main)
  • RE: Telnet/ftp problems SBS2000
    ... Please make sure your client computers are configured as both Firewall ... will find two options "Enable folder view for FTP sites" and "Use Passive ... that the control connection has been successfully established, ... (other than port 21) ...
    (microsoft.public.windows.server.sbs)
  • Re: IPSwitch, Inc. WS_FTP Server
    ... > bounce attack as well as PASV connection hijacking. ... > The FTP bounce vulnerability allows a remote attacker to cause the ... > anonymously along with any internal addresses that the FTP server has ... That means it's got to handle a PORT ...
    (Bugtraq)