From owner-freebsd-bugs Tue Oct 29 22:21:46 1996 Return-Path: owner-bugs Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id WAA06135 for bugs-outgoing; Tue, 29 Oct 1996 22:21:46 -0800 (PST) Received: from mailserv.tversu.ac.ru (root@mailserv.tversu.ac.ru [193.233.128.3]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id WAA06118 for ; Tue, 29 Oct 1996 22:21:39 -0800 (PST) Received: from localhost (vadim@localhost) by mailserv.tversu.ac.ru (8.6.12/8.6.12) with SMTP id JAA22071; Wed, 30 Oct 1996 09:21:33 +0300 Date: Wed, 30 Oct 1996 09:21:31 +0300 (MSK) From: Vadim Kolontsov To: auscert@auscert.org.au cc: wu-ftpd-bugs@academ.com, bugs@freebsd.org Subject: Re: AUSCERT 9610181435 -- vuls in ftpd In-Reply-To: <199610300207.MAA00909@amethyst.auscert.org.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hello, On Wed, 30 Oct 1996 auscert@auscert.org.au wrote: > We are preparing an advisory to issue concerning the recent vulnerabilities > in ftpd which allow users to cause it to core dump. We noticed your > posting to bugtraq concerning the wu-ftpd and two vulnerabilities > it has. > > > wuftpd can create core dump in two following situation too (yes, dump > >will contain some subset of shadowed passwords):> > > > >1) "pasv" given when user not logged in > > (caused by error in passive())> > > > >2) more than 100 arguments to any executable command (for example, "list") > > (caused by error in ftpd_popen())> > > > > First error presents in almost all version of bsd's ftpd, wu-ftpd and > >derived. Second error presents in all versions of bsd's ftpd, wu-ftpd and > >derived (as far as I know). > > We have been able to verify the first on the standard wu-ftpd 2.4. We > haven't been able to verify the second. --------------------------------------------------------------- Script started on Wed Oct 30 09:02:34 1996 /home/vadim> telnet ftp.academ.com 21 Trying 198.137.249.71... Connected to PHEASANT.ACADEM.COM. Escape character is '^]'. 220 pheasant FTP server (Version wu-2.4.2-academ[BETA-11](1) Fri Jul 26 19:43:17 CDT 1996) ready. user ftp 331 Guest login ok, send your complete e-mail address as password. pass vadim@tversu.ac.ru 230 Guest login ok, access restrictions apply. list x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x Connection closed by foreign host. /home/vadim> Script done on Wed Oct 30 09:03:36 1996 ------------------------------------------------------------------------- (Big sorry to ppl at academ.com, but I have no beta-11 on my host now) Why it works? Here is the fragment of ftpd (file popen.c): FILE * ftpd_popen(char *program, char *type, int closestderr) { . . . char *argv[100], /* break up string into pieces */ for (argc = 0, cp = program;; cp = NULL) if (!(argv[argc++] = strtok(cp, " \t\n"))) break; As you can see, there is no checking if argument count is greater than 100. So, if I'll give any command (such as "LIST"), which executes some binary ("ls" in this case) with more than 100 arguments, ftpd dies and generates core dump. Fortunately, this bug cannot be exploit using "buffer-overflow technology", because argv[] is array, not a string. Patch is simple, of course -- add checking for "argc < 100" in cycle header. Now about second error, with "pasv" command... File ftpd.c: void passive() { int len; u_short port; char *p, *a; pdata = socket(AF_INET, SOCK_STREAM, 0); if (pdata < 0) { perror_reply(425, "Can't open passive connection"); return; } if (restricted_data_ports) { for (port = FTP_DATA_BOTTOM; port <= FTP_DATA_TOP; port++) { pasv_addr = ctrl_addr; pasv_addr.sin_port = htons(port); (void) seteuid((uid_t)0); if (bind(pdata, (struct sockaddr *)&pasv_addr, sizeof(pasv_addr)) < 0) { (void) seteuid((uid_t)pw->pw_uid); When no one logged in, pw == NULL, and seteuid((uid_t)pw->pw_uid) causes core dump. Patch is very simple too -- add the following lines in start of function (before "pdata = socket(AF_INET..."): if (!pw) { reply(530, "Please login with USER and PASS"); return; } Third error in ftpd... kill -11 Because ftpd runs with user's privilegies (after user logged in), user can generate core dump by killing ftp-daemon with signal 11. If you need more information (including example and patch), ask. Of course, if I want to read core dump, I have to login first to change current dir (using "CWD") to directory like /incoming or my homedir (if I have account on victim machine) and only then kill ftp-daemon by 'pasv', kill or 'list'... > We'd be very interested in hearing your feedback about whether the problems > exist under beta-11 or not. Those error (1, 2 and 3) presents almost in *ALL* versions of ftpd (FreeBSD's ftpd, Solaris' ftpd and so on), because it presents in original berkeley ftpd, which others derived from. With best regards, Vadim. P.S. 2 FreeBSD core team: I hope, this bugs will be fixed in 2.2 P.S. 2 ACADEM: I hope, it will be fixed in next beta?.. -------------------------------------------------------------------------- Vadim Kolontsov SysAdm/Programmer Tver Regional Center of New Information Technologies Networks Lab