COMMAND

    wuftpd

SYSTEMS AFFECTED

    wuftpd prior to 2.6.0

PROBLEM

    Tymm Twillman found following.  WuFTPD when processing a  .message
    file will read  in a buffer,  255 bytes at  a time, and  process a
    number of  % options  (e.g. %H  will cause  the remote hostname to
    appear in  the output  message).   The output  buffer is only 1024
    bytes long, so if the results from % options are longer than about
    4-5 characters, it will overflow this buffer.

    Exploits for this would probably be difficult, as the input buffer
    is  actually  after  the  output  buffer  in  memory,  so  it will
    overwrite the input buffer and keep copying the resulting contents
    in memory over and over until the top of memory is hit, causing  a
    segfault.  However, with some  tricks (using % options that  don't
    produce output  for example)  it may  be able  to stop the copying
    before this occurs.   Since Tymmm didn't  taken compiler  variable
    re-ordering into  account, this  is potentially  easier to exploit
    than believed.

SOLUTION

    This was fixed in  2.6.0 (but it's still  beta).  It is  suggested
    that people  removing any  "message .message  ..." lines  from the
    ftpaccess  file  (and,  for  this  and  other  reasons,  adding  a
    path-filter for  anonymous users;  there's a  good example  in the
    ftpaccess  man  page  --  this  will  also  help  protect  against
    anonymous  users  creating  filenames  that  start with a dash and
    having   them    interpreted    as   arguments    to    tar,    if
    tar-file-on-download is enabled) until 2.6.0 is a final release.