COMMAND

    ftpd

SYSTEMS AFFECTED

    Systems running ftp versions 2.2 and 3.0

PROBLEM

    Do  you  remeber  a  bug  with  "argc > 100" in ftpd_popen(), when
    users was able to kill your ftpd to produce core dump with  shadow
    password?   Ok,  this  bug  (which  was  reported when 2.1 was the
    latest release) still presents in  2.2 & 3.0.  This  vulnerability
    has been  brought to  public by  Vadim Kolontsov  and text here is
    mostly his.

    BTW, wu-ftpd latest beta (13) still can be killed in this way...

    To test ftpd, do the following:

	telnet your.host 21
	user ftp (or your userid, if you have no anonymous ftp)
	pass ftp@ (or your password)
	list x x x x x x x x x x x ... (around 3 lines will be enough

    Bugged ftpdwill die  here - "Connection  closed by foreigh  host".
    Now look for core dump, extract password, start your Crack.

SOLUTION

    Yes,  ftpd  was  patched,  but  incompletely.  It  seems that this
    patches  was  never  tested  (although  check  for a patch against
    "kill -11" isn't tested yet).

    Here is an additional patch for 3.0's ftpd:

    ========================= cut here ===============================
    *** popen.c.old Sun Apr 13 11:22:59 1997
    --- popen.c     Sun Apr 13 11:23:16 1997
    ***************
    *** 95,101 ****

	    /* glob each piece */
	    gargv[0] = argv[0];
    !       for (gargc = argc = 1; argv[argc] && gargc < (MAXGLOBARGS-1); argc++) {
		    glob_t gl;
		    int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;

    --- 95,101 ----

	    /* glob each piece */
	    gargv[0] = argv[0];
    !       for (gargc = argc = 1; argv[argc] && gargc < (MAXGLOBARGS-1) && argc < MAXUSRARGS; argc++) {
		    glob_t gl;
		    int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
    ========================= cut here ===============================