what you don't know can hurt you

wu-ftpd.2.6.0.rfp

wu-ftpd.2.6.0.rfp
Posted Nov 28, 2001
Authored by rain forest puppy | Site wiretrip.net

Details and source diffs for the wu-ftpd v2.6.1 remote overflow vulnerability. By leaving off closing ']' and '}' characters, it's possible to get the glob function to construct a long string which very well may overflow a buffer in gzip v1.2.4.

tags | remote, overflow
MD5 | 9afb781f1eb9dc807231073297c6358e

wu-ftpd.2.6.0.rfp

Change Mirror Download

Those of you who monitor 'other' security lists may have caught a "we know
something about wu-ftpd" message came across not too long ago. And today,
RedHat released some updated wu-ftpd RPMs. So, in order to learn the
details of the bug, I grabbed the SRPM and took a peek.

Included in the SRPM is wu-ftpd-2.6.1-sec.patch, which is dated Nov 21.
This looks like a winner. The pertinent parts of the patch are:


--- wu-ftpd/src/glob.c.sec Thu May 31 09:30:36 2001
+++ wu-ftpd/src/glob.c Wed Nov 21 18:22:17 2001
@@ -309,7 +309,7 @@
if (lm >= restbufend)
return (0);
}
- for (pe = ++p; *pe; pe++)
+ for (pe = ++p; *pe; pe++) {
switch (*pe) {

case '{':
@@ -325,11 +325,19 @@
case '[':
for (pe++; *pe && *pe != ']'; pe++)
continue;
+ if (!*pe) {
+ globerr = "Missing ]";
+ return (0);
+ }
continue;
}
+ }
pend:
- brclev = 0;
- for (pl = pm = p; pm <= pe; pm++)
+ if (brclev || !*pe) {
+ globerr = "Missing }";
+ return (0);
+ }
+ for (pl = pm = p; pm <= pe; pm++) {
switch (*pm & (QUOTE | TRIM)) {

case '{':
@@ -365,19 +373,18 @@
return (1);
sort();
pl = pm + 1;
- if (brclev)
- return (0);
continue;

case '[':
for (pm++; *pm && *pm != ']'; pm++)
continue;
- if (!*pm)
- pm--;
+ if (!*pm) {
+ globerr = "Missing ]";
+ return (0);
+ }
continue;
}
- if (brclev)
- goto doit;
+ }
return (0);
}

@@ -429,11 +436,10 @@
else if (scc == (lc = cc))
ok++;
}
- if (cc == 0)
- if (ok)
- p--;
- else
- return 0;
+ if (cc == 0) {
+ globerr = "Missing ]";
+ return (0);
+ }
continue;

case '*':



So it appears that by leaving off closing ']' and '}' characters, it's
possible to get the glob function to construct a long string. Odds are
this is being used in conjuction with a gzip 1.2.4 filename overflow,
which has also been talked about lately on other lists as well (see the
"New bugs discovered!" thread archived at:
http://archives.neohapsis.com/archives/vuln-dev/2001-q4/ )

I also don't know if the globbing code uses a static buffer, thus it could
be more of a plain-type overflow.

Regardless, this is enough info to better assess possible risk. The above
patch should patch against the recent wu-ftpd source branches (Redhat
includes 2.7.0 in the SRPM).

Enjoy,
- rfp

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    4 Files
  • 20
    Apr 20th
    5 Files
  • 21
    Apr 21st
    1 Files
  • 22
    Apr 22nd
    10 Files
  • 23
    Apr 23rd
    22 Files
  • 24
    Apr 24th
    4 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close