Everhart, Glenn (FUSA) From: Gregory Newby [gbnewby@ILS.UNC.EDU] Sent: Monday, May 03, 1999 8:11 PM To: BUGTRAQ@NETSPACE.ORG Subject: Re: wuftp2.4.2academ beta 12-18 exploit On Sat, 1 May 1999, Mixter wrote: > this works on a lot of wu-ftpd`s > also uses other commands than MKD to > exploit realpath() overflow Workaround: wu-ftpd and variants that use files /etc/ftp* for configuration can easily help protect you against the many recent variants that exploit buffer overflows with MKDIR. All the varieties I've seen require creating a directory or file - that's where the overflow happens. In /etc/ftpaccess, you have the option to specify what commands may and may not be run by particular users. Just add lines to specify that user anonymous (or whatever others you want) cannot put, delete, mkdir, etc. E.g., lines like these: chmod no anonymous delete no anonymous overwrite no anonymous rename no anonymous mkdir no anonymous upload no anonymous Do you want your anonymous users to put files, change files, etc.? Probably not...and this is where the automated scripts are first going to try to break in: by anonymous FTP, not another username. These lines will prevent the MKD from succeeding, even if you leave a directory chmod 777. I tested this with RH Linux 5.2 and ftpd wu-2.4.2-VR17, with the program Mixter provided and a couple of 777 directories. Because the buffer overflow doesn't happen until after a few iterations of the MKDIR command, I expect this would work on any system using wu-ftpd variants, because the first iteration of MKDIR or anything else to create a file/directory would fail. "man ftpaccess" for details on the /etc/ftpaccess file wu-ftpd uses. -- Greg // Gregory B. Newby, Assistant Professor in the School of Information // and Library Science, University of North Carolina at Chapel Hill // CB# 3360 Manning Hall, Chapel Hill, NC, 27599-3360 E: gbnewby@ils.unc.edu // V: 919-962-8064 F: 919-962-8071 W: http://www.ils.unc.edu/~gbnewby/