From owner-freebsd-security Mon Oct 2 11:50:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 0B9AE37B503 for ; Mon, 2 Oct 2000 11:50:16 -0700 (PDT) Received: from bsdie.rwsystems.net([209.197.223.2]) (5224 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Mon, 2 Oct 2000 13:48:48 -0500 (CDT) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Mon, 2 Oct 2000 13:48:48 -0500 (CDT) From: James Wyatt To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: ftpd bug in FreeBSD through at least 3.4 In-Reply-To: <4.3.2.7.2.20001002113441.04932240@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Uh, Brett the FreeBSD and Linux ftpd differ a *lot*! You'll get more mail. That aside, this segfaults the client on the command line. Read my lips, "no new privelages". (Like most of the Pine bugs discussed earlier. (^_^) It's even easier to duplicate than the original post. You can do it on a failed login and needs only one %s to coredump. (Should the FreeBSD client leave a core file, btw?) Try this: =09goodguy@bsdie-/tmp: ftp 127.1 =09Connected to 127.1. =09220 mybox.my.net FTP server (Version 6.00) ready. =09Name (127.1:goodguy): root =09530 User root access denied. =09ftp: Login failed. =09Remote system type is UNIX. =09Using binary mode to transfer files. =09ftp> quote %s =09Segmentation fault (core dumped) Hope this helps clarify things a little.. - Jy@ On Mon, 2 Oct 2000, Brett Glass wrote: > Date: Mon, 02 Oct 2000 12:18:25 -0600 > From: Brett Glass > To: security@FreeBSD.ORG > Subject: ftpd bug in FreeBSD through at least 3.4 >=20 > I've received LOTS of anonymous FTP login attempts on the FreeBSD boxen > I administer, and have been wondering why. Perhaps this message explains > it! The below works on all 2.x versions of FreeBSD, and in the 3.x branch= =20 > up until at least 3.4-RELEASE (maybe later). >=20 > Am not sure to what extent this bug can be exploited. At best, it would > probably just let someone run things as the user "ftp" (the euid used for= =20 > anonymous FTP logins). This might make it possible to finesse a known > local root exploit into a remote one, and/or to start an automated > password cracking process (a la the RTM worm) on the system. At worst, > it might be possible to parlay it into something worse. >=20 > --Brett >=20 >=20 > >Approved-By: aleph1@SECURITYFOCUS.COM > >Delivered-To: bugtraq@lists.securityfocus.com > >Received: from securityfocus.com (mail.securityfocus.com [207.126.127.78= ]) by > > lists.securityfocus.com (Postfix) with SMTP id 259D024C7F5 for > > ; Mon, 2 Oct 2000 08:27:37 -= 0700 > > (PDT) > >Received: (qmail 21295 invoked by alias); 2 Oct 2000 15:29:30 -0000 > >Delivered-To: BUGTRAQ@SECURITYFOCUS.COM > >Received: (qmail 21292 invoked from network); 2 Oct 2000 15:29:29 -0000 > >Received: from unknown (HELO mail.multigroup-bg.com) (212.36.2.250) by > > mail.securityfocus.com with SMTP; 2 Oct 2000 15:29:29 -0000 > >Received: from mgoracle2000 ([192.168.32.220]) by mail.multigroup-bg.com > > (8.9.3/8.9.3) with SMTP id SAA32372 for ; > > Mon, 2 Oct 2000 18:28:32 +0300 > >MIME-Version: 1.0 > >Content-Type: text/plain; charset=3D"iso-8859-1" > >Content-Transfer-Encoding: 8bit > >X-Priority: 3 > >X-MSMail-Priority: Normal > >X-Mailer: Microsoft Outlook Express 5.50.4133.2400 > >X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 > >Message-ID: <001301c02c8d$ca506090$dc20a8c0@mgoracle2000> > >Date: Mon, 2 Oct 2000 18:28:26 +0200 > >Reply-To: Javor Ninov > >Sender: Bugtraq List > >From: Javor Ninov > >Organization: MG Bulgaria > >Subject: Wu-ftpd 2.6.1(1) > >To: BUGTRAQ@SECURITYFOCUS.COM > >X-UIDL: 34a5d41e2d991fbaee20ab8924544a45 > > > >somewhere:/$ ftp 127.0.0.1 > >Connected to 1127.0.0.1. > >220 somewhere.in.internet FTP server (Version wu-2.6.1(1) Mon Jul 3 10:4= 9:59 > >EEST 2000) ready. > >Name (0:somebody): ftp > >331 Guest login ok, send your complete e-mail address as password. > >Password: > >230-Welcome, archive user! This is an experimental FTP server. If have= any > >230-unusual problems, please report them via e-mail to > >root@somewhere.in.internet > >230-If you do have problems, please try using a dash (-) as the first > >character > >230-of your password -- this will turn off the continuation messages tha= t > >may > >230-be confusing your ftp client. > >230- > >230 Guest login ok, access restrictions apply. > >Remote system type is UNIX. > >Using binary mode to transfer files. > >ftp> quote %s%s%s%s > >500 'TP=BF9(NULL)': command not understood. > >ftp>quote %s%s%s%s%s > >Segmentation fault > >somewhere:/$ uname -a > >Linux somewhere 2.2.12 #1 Sun Sep 19 13:35:59 EEST 1999 i686 unknown > >somewhere:/$ > >This is a Slackware 4.0 with last wuftpd.tgz ( 02-oct-2000 ) >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message