Re: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability

From: Patrick Cantwell (seamus@manhattan.insomnia.org)
Date: 12/05/01


Date: Wed, 5 Dec 2001 10:35:11 -0500 (EST)
From: Patrick Cantwell <seamus@manhattan.insomnia.org>
To: <bugtraq@securityfocus.com>

Yes, this must be library related. I have 2 machines here both running the
same version of the OpenBSD ftpd ported to linux. One's a slackware 7.1
box, one's a prerelease version of slackware 8 (installed the machine
before 8.0 made -release)..

on the older machine:

(Wed 10:25am) seamus@bofh ttyp0:~> ftp XXX
Connected to XXX.XXX.XXX.
220 XXX.XXX.XXX FTP server (Version 6.5/OpenBSD, linux port 0.3.2)
ready.
Name (XXX:seamus): seamus
331 Password required for seamus.
Password:
230- Linux 2.2.18.
230 User seamus logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al\ ~{
200 PORT command successful.
421 Service not available, remote server has closed connection.
ftp> quit
(Wed 10:25am) seamus@bofh ttyp0:~>

on the newer machine:

(Wed 10:25am) seamus@bofh ttyp0:~> ftp YYY
Connected to YYY.YYY.YYY.
220 YYY.YYY.YYY FTP server (Version 6.5/OpenBSD, linux port 0.3.2)
ready.
Name (YYY:seamus): seamus
331 Password required for seamus.
Password:
230-
230 User seamus logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al\ ~{
200 PORT command successful.
150 Opening ASCII mode data connection for '/bin/ls'.
ftpd: ~{: No such file or directory
226 Transfer complete.
ftp>

If anyone would like to know more details (exact version numbers of glibc,
etc..) please feel free to email me..

--
TheFloyd

On Thu, 29 Nov 2001, Flavio Veloso wrote:

> Date: Thu, 29 Nov 2001 09:32:33 -0200 (BRST) > From: Flavio Veloso <flaviovs@magnux.com> > To: script0r <script0r@axenet.org> > Cc: bugtraq@securityfocus.com > Subject: Re: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption > Vulnerability > > On Wed, 28 Nov 2001, script0r wrote: > > > > Subject: Wu-Ftpd File Globbing Heap Corruption Vulnerability > (...) > > I am running the a linux port of the bsd ftpd and it might be vulnerable to > > a similar attack, > > > > ftp localhost > > Connected to localhost. > > 220 playlandFTP server (Version 6.5/OpenBSD, linux port 0.3.3) ready. > > Name (localhost:user): ftp > > 331 Guest login ok, type your name as password. > > Password: > > 230 Guest login ok, access restrictions apply. > > Remote system type is UNIX. > > Using binary mode to transfer files. > > ftp> ls ~{ > > 200 PORT command successful. > > 421 Service not available, remote server has closed connection > > > > in inetd I find an error stating that the ftpd process has died unexpectedly > > > > Nov 28 14:21:28 playland inetd[82]: pid 16341: exit signal 11 > > This may not be related to the wu-ftpd bug. I was just experiencing > the same problem here, but further investigation showed up that it was > due a bug in the glibc implementation of glob(3) (not exploitable, > AFAICT). > > See http://sources.redhat.com/ml/bug-glibc/2001-11/msg00109.html for > details. > > -- > Flávio >