COMMAND
wu-ftpd
SYSTEMS AFFECTED
wu-ftpd 5.x, 6.0
PROBLEM
Michal Zalewski posted following. This is result of my 20
minutes long mini-audit of wu-ftpd 2.6.0 source code. We won't
spend time analysing source code nor doing any debugging. Just
simply issue command like:
grep -nE 'sprintf.*\%s|strcat|strcpy' *.c
Gosh... Not even thinking about many, many other dangerous
functions and mechanisms. Results? Yes, some...
The problem affects wu-ftpd installations with S/Key support
enabled. In fact, this mechanism, instead of increasing site
security, results in buffer overflow in the time of user login on
some machines. What is the problem? Well... (ftpd.c):
#if defined(SKEY) && !defined(__NetBSD__)
[...]
/* skey_challenge - additional password prompt stuff */
char *skey_challenge(char *name, struct passwd *pwd, int pwok)
{
static char buf[128];
char sbuf[40];
struct skey skey;
/* Display s/key challenge where appropriate. */
if (pwd == NULL || skeychallenge(&skey, pwd->pw_name, sbuf))
sprintf(buf, "Password required for %s.", name);
else
sprintf(buf, "%s %s for %s.", sbuf,
pwok ? "allowed" : "required", name);
return (buf);
}
#endif
Well... Buffer (buf, size = 128 bytes) is placed on heap,
Aah, an example? USER <much-more-than-128-bytes> No, no SEGV or
crash, simply overwritten piece of memory. Some debugging would
be nice.
This was found by portal. It's nothing in peculiar, and has too
many requirements. One has to create a symbolic link in a
directory and list it with the 'internal ls'. Additionally, it's
a heap overflow. Have fun with it...
SOLUTION
The problem does NOT affect systems without S/Key support compiled
into ftpd and does NOT affect NetBSD libskey (see #ifdefs).