We evaluated the source to the exploit, and made some changes to realpath.c (found in the /src directory of the wu-ftpd tarball) After making these changes, we tried the exploits again on 3 different machines (that we were able to compromise before) and could no longer get root. Interestingly enough, from the code that we saw, there was already code in the source to handle buffer overflows, but it wasn't implemented for all of the functions. Niether I nor my company make any guarantees that these changes will fix the buffer overflows. I will say that we have not been able to gain root through the exploit posted since we made these changes. This diff is against wu-ftpd 2.4.2b18 (not a VC distro) Here's the diff: 150c150 < strcpy(result, namebuf); --- > strncpy(result, namebuf, MAXPATHLEN); 158c158 < strcpy(result, namebuf); --- > strncpy(result, namebuf, MAXPATHLEN); 178c178 < strcpy(result, namebuf); --- > strncpy(result, namebuf, MAXPATHLEN); 183c183 < strcpy(result, workpath); --- > strncpy(result, workpath, MAXPATHLEN); Adam Maloney Systems Administrator Internet Exposure, Inc. [612] 922.3126
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:45:15 PDT