Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD

From: Gregory A Lundberg (lundbergat_private)
Date: Fri Oct 22 1999 - 12:24:03 PDT

Next message: Pavel Kankovsky: "Re: Local user can send forged packets"

Previous message: John LoVerso: "Re: Imagemap CGI overflow exploit"
Maybe in reply to: Aleph One: "CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD"
Next in thread: Charles M. Richmond: "Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Oct 21, 1999 at 03:05:22PM -0500, Rami Dass wrote:

> Also, I beleive that this problem occurs only in certain OS's vulnerable
> to the getcwd() exploit, the ERRATA file, in the 2.6.0 source tree, lists
> them:
>
> "Systems needing getcwd():
>
>   BSD 4.4       (bsd)
>   Unix 3.x      (dec)
>   DG/UX         (dgx)
>   Dynix         (dyn)
>   generic       (gen)
>   NeXTstep 2.x  (nx2)
>   OSF/1         (osf)
>   Sony NewsOS   (sny)"
>
> So this exploit MIGHT be OS specific and certain OS's running versions
> prior to 2.6.0 may not be affected.

The issue you're discussing here is not part of the CERT or AUSCERT
advisories.

It's a well-known fact that getwd() is not a good choice; it overruns
buffers.  getcwd() allows bounds checking and should be used instead.

The systems listed above have no getcwd() function, or at least nobody has
reported those systems now have one, so we're still assuming they do not
(notice we're fixing _that_ class of assumptions by switching to autoconf).

Sun operating systems, in particular SunOS, provide the getcwd() function.
Testing has shown the results from that function are not reliable.

In version 2.5.0 we started including a portable version of getcwd() for
systems which do not have the function.  In version 2.6.0, we use that
function on SunOS; eliminating the entire getwd()-class of problems.

Note that on the systems listed above, unless the FTP administrator
hand-changes something, the WU-FTPD daemon (version 2.5.0 or 2.6.0) will
not compile.  There is a #error statement which stops the compile if
getwd() would be used.

> I did try building 2.6.0 under Solaris 7, and there were some problems
> with using "ls".

The problems with 'ls' are Solaris' ftp client; I understand Sun's had
bugreports filed on it.  Our recommendation is to train Sun users to use
'dir' or 'ls -l' instead, or install another vendor's ftp client.

The issue here is the 'ls' command used to work for Sun Solaris users, but
the mget command was unreliable for all users on all platforms.  Fixing
mget broke Sun's client.  More properly stated, it exposed the brokenness
of Solaris' command-line ftp client.

> Incidentally, there has been a patch available to address the getcwd()
> issue on the ftp site for wu-ftpd that can be applied to 2.5.0.

The patch was for mapping_chdir, not the getcwd problem.

The patches for 2.5.0 only fix vul #1 .. #2 and #3 are only fixed in 2.6.0.

--

Gregory A Lundberg              Senior Partner, VRnet Company
1441 Elmdale Drive              lundbergat_private
Kettering, OH 45409-1615 USA    1-800-809-2195

Next message: Pavel Kankovsky: "Re: Local user can send forged packets"
Previous message: John LoVerso: "Re: Imagemap CGI overflow exploit"
Maybe in reply to: Aleph One: "CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD"
Next in thread: Charles M. Richmond: "Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:08:34 PDT