> -----Original Message----- > From: owner-wu-ftpdat_private [mailto:owner-wu-ftpdat_private > edu] On Behalf Of Gregory A Lundberg > Sent: Tuesday, March 23, 1999 10:44 AM > To: Russ Allbery > Cc: ayu1at_private; wu-ftpdat_private > Subject: Re: FW: ftp exploit > > > On 23 Mar 1999, Russ Allbery wrote: > > > > any comments? > > > > It's an exploit script for the path overflow bug that's already been > > announced by CERT, been on all the security lists, and has already > > been fixed in the latest version of every wu-ftpd variant that I'm > > aware of as well as being the impetus for the final mainline wu-ftpd > > release? > > Correct. This is a full exploit against Redhat 5.2 (the original advisory > was based upon a test, not an exploit). > > My comment: This posting proves why you need to keep up with the CERT > mailing list, if not Bugtraq and other lists. As often heppens, the > exploit followed the discovery of the vulnerability by several weeks. > While it sometimes happens that exploits are distributed before the daemon > authors are notified and public security announcement made, this was not > the case here. > > > > My testing shows: > > This is an exploit using the buffer overflow described in > > CERT Advisory CA-99.03 - FTP-Buffer-Overflows > > Available from htp://www.CERT.org/ > > It is directed solely at Redhat CD 4.2 Linux systems running a clean, > default install. It was not successfull on unclean 5.2 systems, the > pre-5.2 systems I tested on, or when I built the daemon by-hand instead of > using a Redhat (S)RPM. My testing showed, while none of the systems I > have available were exploitable, the exploit WOULD HAVE WORKED but failed > for identifiable reasons. > > Given working code for Redhat 4.2, it should be a fairly simply matter to > port to non-Linux or non-5.2 systems. > > > > WHO IS VULNERABLE > ----------------- > > - Systems running ALL versions of WU-FTPD _prior_ to 2.4.2 (final), > including all 2.4.2-beta versions, ARE VULNERABLE, except as noted > below: > > - Systems with proper upload clauses are partially protected. Many > systems do not use proper upload clauses for real/guest users and are > NOT protected from abuse by their local users. > > - Systems with proper permissions are partially protected. Most systems > do not use proper permissions for real/guest users since they would > prevent use by Telnet/SSH/Shell .. such systems are NOT protected from > their local users. > > > > WHO IS NOT VULNERABLE > --------------------- > > - Systems running 2.4.2 (final) are protected against _this_ bug. Such > systems should upgrade to VR16 for maximum security; a number of other > bugs and security problems have been fixed in VR16. > > - Systems running 2.4.2-beta-18-VR10 or later are protected. Anyone > running VR10 through VR13 should upgrade to VR14 or later at your > earliest convenience. > > - Systems running BeroFTPD 1.2.0 or later are NOT vulnerable. All > BeroFTPD systems should upgrade to the current version (1.3.4) at their > earliest conenience. Anyone running a vulnerable system with NEWVIRT, > will want to immedeately upgrade to BeroFTPD. > > > > The location of the latest version of wu-ftpd can be found in the > directory > > ftp://ftp.vr.net/pub/wu-ftpd/ > >wu-ftpd Resource Center: http://www.landfield.com/wu-ftpd/ >wu-ftpd FAQ: http://www.cetis.hvu.nl/~koos/wu-ftpd-faq.html >wu-ftpd list archive: http://www.landfield.com/wu-ftpd/mail-archive/ > >-- > >Gregory A Lundberg Senior Partner, VRnet Company >1441 Elmdale Drive lundberg+wuftpdat_private >Kettering, OH 45409-1615 USA 1-800-809-2195
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:39:53 PDT