Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 13 Apr 1997 11:34:46 +0400
From:      Vadim Kolontsov <vadim@tversu.ac.ru>
To:        freebsd-security@freebsd.org, freebsd-hackers@freebsd.org
Subject:   ftpd bug (yes, again..)
Message-ID:  <19970413113446.26166@tversu.ac.ru>

next in thread | raw e-mail | index | archive | help
Hello,

  do you remeber a bug with "argc > 100" in ftpd_popen(), when users was
able to kill your ftpd to produce core dump with shadow password? Ok, this bug
(which was reported when 2.1 was the latest release) still presents
in 2.2 & 3.0
  Yes, ftpd was patched, but incompletely. It seems that this patches was 
never tested (although I didn't check a patch against "kill -11" yet)

  Here is an additional patch for 3.0's ftpd

============================== cut here ================================
*** popen.c.old	Sun Apr 13 11:22:59 1997
--- popen.c	Sun Apr 13 11:23:16 1997
***************
*** 95,101 ****
  
  	/* glob each piece */
  	gargv[0] = argv[0];
! 	for (gargc = argc = 1; argv[argc] && gargc < (MAXGLOBARGS-1); argc++) {
  		glob_t gl;
  		int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
  
--- 95,101 ----
  
  	/* glob each piece */
  	gargv[0] = argv[0];
! 	for (gargc = argc = 1; argv[argc] && gargc < (MAXGLOBARGS-1) && argc < MAXUSRARGS; argc++) {
  		glob_t gl;
  		int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
============================== cut here ================================
  
  See the source code to understand why previous patch was incomplete -
it's easy...
  BTW, wu-ftpd latest beta (13) still can be killed in this way... although
wu-ftpd's maintainer was informed by me about 3 monthes ago.

With best regards, Vadim.

P.S. to test ftpd, do the following:

telnet your.host 21
user ftp (or your userid, if you have no anonymous ftp)
pass ftp@ (or your password)
list x x x x x x x x x x x ... (around 3 lines will be enough ;)

Bugged ftpdwill die here - "Connection closed by foreigh host".
Now look for core dump, extract password, start your Crack :)
--------------------------------------------------------------------------
Vadim Kolontsov                                          SysAdm/Programmer 
Tver Regional Center of New Information Technologies          Networks Lab




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970413113446.26166>