Site Navigation

Date:      Wed, 30 Oct 1996 09:21:31 +0300 (MSK)
From:      Vadim Kolontsov <vadim@tversu.ac.ru>
To:        auscert@auscert.org.au
Cc:        wu-ftpd-bugs@academ.com, bugs@freebsd.org
Subject:   Re: AUSCERT 9610181435 -- vuls in ftpd
Message-ID:  <Pine.NEB.3.95.961030090339.21937A-100000@mailserv.tversu.ac.ru>
In-Reply-To: <199610300207.MAA00909@amethyst.auscert.org.au>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

Hello,

On Wed, 30 Oct 1996 auscert@auscert.org.au wrote:

> We are preparing an advisory to issue concerning the recent vulnerabilities
> in ftpd which allow users to cause it to core dump.  We noticed your
> posting to bugtraq concerning the wu-ftpd and two vulnerabilities
> it has.
> 
> >  wuftpd can create core dump in two following situation too (yes, dump
> >will contain some subset of shadowed passwords):>
> >
> >1) "pasv" given when user not logged in
> >   (caused by error in passive())>
> >
> >2) more than 100 arguments to any executable command (for example, "list")
> >   (caused by error in ftpd_popen())>
> >
> >  First error presents in almost all version of bsd's ftpd, wu-ftpd and
> >derived. Second error presents in all versions of bsd's ftpd, wu-ftpd and
> >derived (as far as I know).
> 
> We have been able to verify the first on the standard wu-ftpd 2.4.  We
> haven't been able to verify the second.

---------------------------------------------------------------
Script started on Wed Oct 30 09:02:34 1996

/home/vadim> telnet ftp.academ.com 21
Trying 198.137.249.71...
Connected to PHEASANT.ACADEM.COM.
Escape character is '^]'.
220 pheasant FTP server (Version wu-2.4.2-academ[BETA-11](1) Fri Jul 26 19:43:17 CDT 1996) ready.
user ftp
331 Guest login ok, send your complete e-mail address as password.
pass vadim@tversu.ac.ru
230 Guest login ok, access restrictions apply.
list x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x 
x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x
Connection closed by foreign host.
/home/vadim>

Script done on Wed Oct 30 09:03:36 1996
-------------------------------------------------------------------------
(Big sorry to ppl at academ.com, but I have no beta-11 on my host now)

Why it works? Here is the fragment of ftpd (file popen.c):

FILE * ftpd_popen(char *program, char *type, int closestderr)
{
    .  .  .

    char *argv[100],

    /* break up string into pieces */
    for (argc = 0, cp = program;; cp = NULL)
        if (!(argv[argc++] = strtok(cp, " \t\n")))
            break;

  As you can see, there is no checking if argument count is greater than
100. So, if I'll give any command (such as "LIST"), which executes
some binary ("ls" in this case) with more than 100 arguments, ftpd
dies and generates core dump.
  Fortunately, this bug cannot be exploit using "buffer-overflow
technology", because argv[] is array, not a string. 
  Patch is simple, of course -- add checking for "argc < 100" in cycle
header.

  Now about second error, with "pasv" command...

File ftpd.c:

void passive()
{
	int len;
	u_short port;
	char *p, *a;

	pdata = socket(AF_INET, SOCK_STREAM, 0);
	if (pdata < 0) {
		perror_reply(425, "Can't open passive connection");
		return;
	}

	if (restricted_data_ports) {
		for (port = FTP_DATA_BOTTOM; port <= FTP_DATA_TOP; port++) {
			pasv_addr = ctrl_addr;
			pasv_addr.sin_port = htons(port);
			(void) seteuid((uid_t)0);
			if (bind(pdata, (struct sockaddr *)&pasv_addr,
				 sizeof(pasv_addr)) < 0) {
				(void) seteuid((uid_t)pw->pw_uid);

  When no one logged in, pw == NULL, and seteuid((uid_t)pw->pw_uid) causes
core dump. Patch is very simple too -- add the following lines in start of
function (before "pdata = socket(AF_INET..."):
  
	if (!pw) {
		reply(530, "Please login with USER and PASS");
		return;
	}

  Third error in ftpd... kill -11
  Because ftpd runs with user's privilegies (after user logged in), user
can generate core dump by killing ftp-daemon with signal 11. If you need
more information (including example and patch), ask.

  Of course, if I want to read core dump, I have to login first to change
current dir (using "CWD") to directory like /incoming or my homedir
(if I have account on victim machine) and only then kill ftp-daemon by
'pasv', kill or 'list'...

> We'd be very interested in hearing your feedback about whether the problems
> exist under beta-11 or not.

  Those error (1, 2 and 3) presents almost in *ALL* versions of ftpd
(FreeBSD's ftpd, Solaris' ftpd and so on), because it presents in original
berkeley ftpd, which others derived from.

With best regards, Vadim.

P.S. 2 FreeBSD core team: I hope, this bugs will be fixed in 2.2
P.S. 2 ACADEM: I hope, it will be fixed in next beta?..
--------------------------------------------------------------------------
Vadim Kolontsov                                          SysAdm/Programmer 
Tver Regional Center of New Information Technologies          Networks Lab

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.95.961030090339.21937A-100000>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact