exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

wu-ftpd.2.6.0.rfp

wu-ftpd.2.6.0.rfp
Posted Nov 28, 2001
Authored by rain forest puppy | Site wiretrip.net

Details and source diffs for the wu-ftpd v2.6.1 remote overflow vulnerability. By leaving off closing ']' and '}' characters, it's possible to get the glob function to construct a long string which very well may overflow a buffer in gzip v1.2.4.

tags | remote, overflow
SHA-256 | 30748757c260928c611e88fd96b30631aba28b1ad1813970dcd5a76a1ab7932d

wu-ftpd.2.6.0.rfp

Change Mirror Download

Those of you who monitor 'other' security lists may have caught a "we know
something about wu-ftpd" message came across not too long ago. And today,
RedHat released some updated wu-ftpd RPMs. So, in order to learn the
details of the bug, I grabbed the SRPM and took a peek.

Included in the SRPM is wu-ftpd-2.6.1-sec.patch, which is dated Nov 21.
This looks like a winner. The pertinent parts of the patch are:


--- wu-ftpd/src/glob.c.sec Thu May 31 09:30:36 2001
+++ wu-ftpd/src/glob.c Wed Nov 21 18:22:17 2001
@@ -309,7 +309,7 @@
if (lm >= restbufend)
return (0);
}
- for (pe = ++p; *pe; pe++)
+ for (pe = ++p; *pe; pe++) {
switch (*pe) {

case '{':
@@ -325,11 +325,19 @@
case '[':
for (pe++; *pe && *pe != ']'; pe++)
continue;
+ if (!*pe) {
+ globerr = "Missing ]";
+ return (0);
+ }
continue;
}
+ }
pend:
- brclev = 0;
- for (pl = pm = p; pm <= pe; pm++)
+ if (brclev || !*pe) {
+ globerr = "Missing }";
+ return (0);
+ }
+ for (pl = pm = p; pm <= pe; pm++) {
switch (*pm & (QUOTE | TRIM)) {

case '{':
@@ -365,19 +373,18 @@
return (1);
sort();
pl = pm + 1;
- if (brclev)
- return (0);
continue;

case '[':
for (pm++; *pm && *pm != ']'; pm++)
continue;
- if (!*pm)
- pm--;
+ if (!*pm) {
+ globerr = "Missing ]";
+ return (0);
+ }
continue;
}
- if (brclev)
- goto doit;
+ }
return (0);
}

@@ -429,11 +436,10 @@
else if (scc == (lc = cc))
ok++;
}
- if (cc == 0)
- if (ok)
- p--;
- else
- return 0;
+ if (cc == 0) {
+ globerr = "Missing ]";
+ return (0);
+ }
continue;

case '*':



So it appears that by leaving off closing ']' and '}' characters, it's
possible to get the glob function to construct a long string. Odds are
this is being used in conjuction with a gzip 1.2.4 filename overflow,
which has also been talked about lately on other lists as well (see the
"New bugs discovered!" thread archived at:
http://archives.neohapsis.com/archives/vuln-dev/2001-q4/ )

I also don't know if the globbing code uses a static buffer, thus it could
be more of a plain-type overflow.

Regardless, this is enough info to better assess possible risk. The above
patch should patch against the recent wu-ftpd source branches (Redhat
includes 2.7.0 in the SRPM).

Enjoy,
- rfp

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close