Details and source diffs for the wu-ftpd v2.6.1 remote overflow vulnerability. By leaving off closing ']' and '}' characters, it's possible to get the glob function to construct a long string which very well may overflow a buffer in gzip v1.2.4.
30748757c260928c611e88fd96b30631aba28b1ad1813970dcd5a76a1ab7932d
Those of you who monitor 'other' security lists may have caught a "we know
something about wu-ftpd" message came across not too long ago. And today,
RedHat released some updated wu-ftpd RPMs. So, in order to learn the
details of the bug, I grabbed the SRPM and took a peek.
Included in the SRPM is wu-ftpd-2.6.1-sec.patch, which is dated Nov 21.
This looks like a winner. The pertinent parts of the patch are:
--- wu-ftpd/src/glob.c.sec Thu May 31 09:30:36 2001
+++ wu-ftpd/src/glob.c Wed Nov 21 18:22:17 2001
@@ -309,7 +309,7 @@
if (lm >= restbufend)
return (0);
}
- for (pe = ++p; *pe; pe++)
+ for (pe = ++p; *pe; pe++) {
switch (*pe) {
case '{':
@@ -325,11 +325,19 @@
case '[':
for (pe++; *pe && *pe != ']'; pe++)
continue;
+ if (!*pe) {
+ globerr = "Missing ]";
+ return (0);
+ }
continue;
}
+ }
pend:
- brclev = 0;
- for (pl = pm = p; pm <= pe; pm++)
+ if (brclev || !*pe) {
+ globerr = "Missing }";
+ return (0);
+ }
+ for (pl = pm = p; pm <= pe; pm++) {
switch (*pm & (QUOTE | TRIM)) {
case '{':
@@ -365,19 +373,18 @@
return (1);
sort();
pl = pm + 1;
- if (brclev)
- return (0);
continue;
case '[':
for (pm++; *pm && *pm != ']'; pm++)
continue;
- if (!*pm)
- pm--;
+ if (!*pm) {
+ globerr = "Missing ]";
+ return (0);
+ }
continue;
}
- if (brclev)
- goto doit;
+ }
return (0);
}
@@ -429,11 +436,10 @@
else if (scc == (lc = cc))
ok++;
}
- if (cc == 0)
- if (ok)
- p--;
- else
- return 0;
+ if (cc == 0) {
+ globerr = "Missing ]";
+ return (0);
+ }
continue;
case '*':
So it appears that by leaving off closing ']' and '}' characters, it's
possible to get the glob function to construct a long string. Odds are
this is being used in conjuction with a gzip 1.2.4 filename overflow,
which has also been talked about lately on other lists as well (see the
"New bugs discovered!" thread archived at:
http://archives.neohapsis.com/archives/vuln-dev/2001-q4/ )
I also don't know if the globbing code uses a static buffer, thus it could
be more of a plain-type overflow.
Regardless, this is enough info to better assess possible risk. The above
patch should patch against the recent wu-ftpd source branches (Redhat
includes 2.7.0 in the SRPM).
Enjoy,
- rfp