From owner-freebsd-security Sun Apr 13 00:35:40 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id AAA22093 for security-outgoing; Sun, 13 Apr 1997 00:35:40 -0700 (PDT) Received: from mailserv.tversu.ac.ru (root@mailserv.tversu.ac.ru [193.233.128.3]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id AAA22088; Sun, 13 Apr 1997 00:35:35 -0700 (PDT) Received: (from vadim@localhost) by mailserv.tversu.ac.ru (8.6.12/8.6.12) id LAA05138; Sun, 13 Apr 1997 11:34:47 +0400 Message-ID: <19970413113446.26166@tversu.ac.ru> Date: Sun, 13 Apr 1997 11:34:46 +0400 From: Vadim Kolontsov To: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Subject: ftpd bug (yes, again..) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.64 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hello, do you remeber a bug with "argc > 100" in ftpd_popen(), when users was able to kill your ftpd to produce core dump with shadow password? Ok, this bug (which was reported when 2.1 was the latest release) still presents in 2.2 & 3.0 Yes, ftpd was patched, but incompletely. It seems that this patches was never tested (although I didn't check a patch against "kill -11" yet) Here is an additional patch for 3.0's ftpd ============================== cut here ================================ *** popen.c.old Sun Apr 13 11:22:59 1997 --- popen.c Sun Apr 13 11:23:16 1997 *************** *** 95,101 **** /* glob each piece */ gargv[0] = argv[0]; ! for (gargc = argc = 1; argv[argc] && gargc < (MAXGLOBARGS-1); argc++) { glob_t gl; int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE; --- 95,101 ---- /* glob each piece */ gargv[0] = argv[0]; ! for (gargc = argc = 1; argv[argc] && gargc < (MAXGLOBARGS-1) && argc < MAXUSRARGS; argc++) { glob_t gl; int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE; ============================== cut here ================================ See the source code to understand why previous patch was incomplete - it's easy... BTW, wu-ftpd latest beta (13) still can be killed in this way... although wu-ftpd's maintainer was informed by me about 3 monthes ago. With best regards, Vadim. P.S. to test ftpd, do the following: telnet your.host 21 user ftp (or your userid, if you have no anonymous ftp) pass ftp@ (or your password) list x x x x x x x x x x x ... (around 3 lines will be enough ;) Bugged ftpdwill die here - "Connection closed by foreigh host". Now look for core dump, extract password, start your Crack :) -------------------------------------------------------------------------- Vadim Kolontsov SysAdm/Programmer Tver Regional Center of New Information Technologies Networks Lab