Re: some ftpd implementations mishandle CWD ~{

From: Matt Power (mhpowerat_private)
Date: Wed May 09 2001 - 21:41:50 PDT

Next message: Olli Artemjev: "Re: ATM PVC as security barrier"

Previous message: Kurt Seifried: "Re: ATM PVC as security barrier"
In reply to: Christian Hammers: "Re: some ftpd implementations mishandle CWD ~{"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2 May 2001 15:10:47 +0200, Christian Hammers <chat_private>
wrote:

>                ... you say that the server is DOS'able from remote...
>Or maybe it's just the one thread that crashes and the main server will handle
>others connections further on. (I haven't had time to really look at this)

Typically connections would be accepted by inetd or some other program
that has a similar role (tcpserver, xinetd, etc.).

Here are some further details about what I originally posted:

>(1) wu-ftpd 2.6.1 on Linux ...
>...
>    behavior of server: segmentation fault ...

Some people have stated that the segmentation fault in wu-ftpd is due
to dereferencing a NULL pointer. This might be true in some
environments, but on (for example) Red Hat 6.1 Linux, the segmentation
fault is due to a call to munmap with a specific non-zero address that
happens to not refer to a valid memory location. In general, at the
application level, the problem occurs because free is called with an
incorrect argument. This is a non-zero argument in the Linux case.

I've also been asked about when the code that leads to the
segmentation fault (i.e., the "blkfree(&globlist[1])" code) was added
to the ftpd. It was added in between wu-ftpd-2.4.2-beta-13 and
wu-ftpd-2.4.2-beta-14. The change might be related to this section in
the FIXES-2.4.2-BETA-14 file:

  "contains a number of fixes for various memory leaks in the glob
  routines as well as some logic problem in the processing of the
  ABOR verb"

>(2) NetBSD 1.5T ...
>...
>    ftpd banner:
>    220 hostname FTP server (NetBSD-ftpd 20010329) ready.
...
>    Off hand, it looks like the server is responding with data from an
>    inappropriate memory location. ...

vendor response:

     As of 2001/04/17, (ftpd version string "20010417a"), NetBSD's
     ftpd doesn't use glob(3) for explicit ~ processing in pathnames,
     so it's not vulnerable to this particular attack.

>There isn't any ftpd for which I've found an exploit by which the
>"CWD ~{" behavior can be leveraged to allow execution of significantly
>undesirable code.

Still the same, and I haven't heard of anyone else finding an exploit.

Matt Power
BindView Corporation, RAZOR Team
mhpowerat_private

Next message: Olli Artemjev: "Re: ATM PVC as security barrier"
Previous message: Kurt Seifried: "Re: ATM PVC as security barrier"
In reply to: Christian Hammers: "Re: some ftpd implementations mishandle CWD ~{"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 10 2001 - 14:25:54 PDT