On Thu, Oct 21, 1999 at 03:05:22PM -0500, Rami Dass wrote: > Also, I beleive that this problem occurs only in certain OS's vulnerable > to the getcwd() exploit, the ERRATA file, in the 2.6.0 source tree, lists > them: > > "Systems needing getcwd(): > > BSD 4.4 (bsd) > Unix 3.x (dec) > DG/UX (dgx) > Dynix (dyn) > generic (gen) > NeXTstep 2.x (nx2) > OSF/1 (osf) > Sony NewsOS (sny)" > > So this exploit MIGHT be OS specific and certain OS's running versions > prior to 2.6.0 may not be affected. The issue you're discussing here is not part of the CERT or AUSCERT advisories. It's a well-known fact that getwd() is not a good choice; it overruns buffers. getcwd() allows bounds checking and should be used instead. The systems listed above have no getcwd() function, or at least nobody has reported those systems now have one, so we're still assuming they do not (notice we're fixing _that_ class of assumptions by switching to autoconf). Sun operating systems, in particular SunOS, provide the getcwd() function. Testing has shown the results from that function are not reliable. In version 2.5.0 we started including a portable version of getcwd() for systems which do not have the function. In version 2.6.0, we use that function on SunOS; eliminating the entire getwd()-class of problems. Note that on the systems listed above, unless the FTP administrator hand-changes something, the WU-FTPD daemon (version 2.5.0 or 2.6.0) will not compile. There is a #error statement which stops the compile if getwd() would be used. > I did try building 2.6.0 under Solaris 7, and there were some problems > with using "ls". The problems with 'ls' are Solaris' ftp client; I understand Sun's had bugreports filed on it. Our recommendation is to train Sun users to use 'dir' or 'ls -l' instead, or install another vendor's ftp client. The issue here is the 'ls' command used to work for Sun Solaris users, but the mget command was unreliable for all users on all platforms. Fixing mget broke Sun's client. More properly stated, it exposed the brokenness of Solaris' command-line ftp client. > Incidentally, there has been a patch available to address the getcwd() > issue on the ftp site for wu-ftpd that can be applied to 2.5.0. The patch was for mapping_chdir, not the getcwd problem. The patches for 2.5.0 only fix vul #1 .. #2 and #3 are only fixed in 2.6.0. -- Gregory A Lundberg Senior Partner, VRnet Company 1441 Elmdale Drive lundbergat_private Kettering, OH 45409-1615 USA 1-800-809-2195
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:08:34 PDT