From owner-freebsd-security  Mon Oct  2 11:46: 5 2000
Delivered-To: freebsd-security@freebsd.org
Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194])
	by hub.freebsd.org (Postfix) with ESMTP id 97D4B37B502
	for <security@freebsd.org>; Mon,  2 Oct 2000 11:46:01 -0700 (PDT)
Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1)
	id 13gAac-000FBX-00; Mon, 02 Oct 2000 20:45:26 +0200
Date: Mon, 2 Oct 2000 20:45:26 +0200
From: Neil Blakey-Milner <nbm@mithrandr.moria.org>
To: Brett Glass <brett@lariat.org>
Cc: "Chris D . Faulhaber" <jedgar@fxp.org>, security@FreeBSD.org
Subject: Re: ftpd bug in FreeBSD through at least 3.4
Message-ID: <20001002204526.A58098@mithrandr.moria.org>
References: <4.3.2.7.2.20001002113441.04932240@localhost> <4.3.2.7.2.20001002113441.04932240@localhost> <20001002142911.A25948@pawn.primelocation.net> <4.3.2.7.2.20001002123113.049344d0@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <4.3.2.7.2.20001002123113.049344d0@localhost>; from brett@lariat.org on Mon, Oct 02, 2000 at 12:33:47PM -0600
Organization: Sunesi Clinical Systems
X-Operating-System: FreeBSD 3.3-RELEASE i386
X-URL: http://rucus.ru.ac.za/~nbm/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon 2000-10-02 (12:33), Brett Glass wrote:
> At 12:29 PM 10/2/2000, Chris D . Faulhaber wrote:
> 
> >The system's ftp daemon or wu-ftpd?  The ftp daemons installed with 3.5.1
> >and 4.1[.1] don't seem affected.
> 
> It DEFINITELY works on FreeBSD's own ftpd in 3.4-RELEASE and all 2.x versions
> I have tested.

This is quite cute:

(nbm@futon) /home/nbm> ftp 127.0.0.1
Connected to 127.0.0.1.
220 futon.sunesi.com FTP server (Version 6.00) ready.
Name (127.0.0.1:nbm): ftp
331 Guest login ok, send your email address as password.
Password:
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quote %s%s%s%s
Segmentation fault

As in, it crashes the ftp client.

A 4.0 ftp client connecting to 'futon' (a 3.3 machine):

(nbm@couch) /home/nbm> ftp futon
Connected to futon.sunesi.com.
220 futon.sunesi.com FTP server (Version 6.00) ready.
Name (futon.sunesi.com:nbm): ftp
331 Guest login ok, send your email address as password.
Password:
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quot %s%s%s%s
500 '%S%S%S%S': command not understood.

A 3.4 ftp client to 'futon' also segfaults.  The ftp server doesn't
segfault in the cases I've tried.

Neil
-- 
Neil Blakey-Milner
Sunesi Clinical Systems
nbm@mithrandr.moria.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message