Wu-ftpd v2.6.2 contains a remote root vulnerability if SKEY support has been enabled. Patch included.
40a0ce3539a007074bcdc02b3be11b15fc0feb8fb09046d9beabf48081bace89
wuftpd v2.6.2 skey stack overflow vulnerability
by <michael@scanit.be>
--------------------------------------------------------------------------
Affected: Washington University FTP deamon, version 2.6.2 and
possibly below (not tested), with SKEY support enabled.
Not affected: NetBSD machines running wu-ftpd
Impact: Severe (remote code execution) if skey support is enabled.
General:
--------
The Washington University FTP deamon (hereafter reffered to as "wuftpd") is
a replacement FTP server for POSIX systems. Wuftpd supports skey
authentication to provide secure logins. However, the code that 'handles'
this has an exploitable stack based buffer overflow. Providing specially
crafted authentication credentials, it is possible to crash the deamon or
execute user-supplied code, running with root privileges.
Technical details:
------------------
A statically allocated buffer is filled using the sprintf() function in the
skey_challenge() function (src/ftpd.c).
char *skey_challenge(char *name, struct passwd *pwd, int pwok)
{
static char buf[128];
...
if (pwd == NULL || skeychallenge(&skey, pwd->pw_name, sbuf))
sprintf(buf, "Password required for %s.", name);
else
sprintf(buf, "%s %s for %s.", sbuf,
pwok ? "allowed" : "required", name);
return (buf);
}
The variable *name is never subject to any boundries checking.
It is possible to write beyond the buf[] array, overwriting the return address
of the function, modifying the path of execution flow.
Fix/Workaround:
---------------
To protect you from this vulnerability, disable skey support, or apply
the following patch:
--- ftpd.c 2001-11-29 17:56:11.000000000 +0100
+++ ftpd.c 2003-10-20 20:43:58.000000000 +0200
@@ -1662,9 +1662,9 @@
/* Display s/key challenge where appropriate. */
if (pwd == NULL || skeychallenge(&skey, pwd->pw_name, sbuf))
- sprintf(buf, "Password required for %s.", name);
+ snprintf(buf, 128-1, "Password required for %s.", name);
else
- sprintf(buf, "%s %s for %s.", sbuf,
+ snprintf(buf, 128-1, "%s %s for %s.", sbuf,
pwok ? "allowed" : "required", name);
return (buf);
}
This information has been provided by Michael Hendrickx <michael@scanit.be>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed