From hartmans@MIT.EDU Tue Oct 15 13:00:46 1996 Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id NAA29838 for ; Tue, 15 Oct 1996 13:00:45 -0400 Received: from TERTIUS.MIT.EDU by MIT.EDU with SMTP id AA22021; Tue, 15 Oct 96 13:00:38 EDT Received: (from hartmans@localhost) by tertius.mit.edu (8.6.12/8.6.9) id MAA15482; Tue, 15 Oct 1996 12:59:34 -0400 Message-Id: Date: 15 Oct 1996 12:59:33 -0400 From: Sam Hartman Sender: hartmans@MIT.EDU To: krb5-bugs@MIT.EDU Subject: [Vadim Kolontsov ] BoS: another two bugs in ftpd >Number: 111 >Category: krb5-appl >Synopsis: ftpd may share bugs with BSD ftpd >Confidential: no >Severity: non-critical >Priority: low >Responsible: krb5-unassigned >State: closed >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Tue Oct e 13:01:01 EDT 1996 >Last-Modified: Fri Aug 07 00:14:37 EDT 1998 >Originator: >Organization: >Release: beta-7 >Environment: >Description: We may share bugs with BSD FTPD that allow shadow password to make their way into an ftpd core file. I do not believe the srvtab is vulnerable. >How-To-Repeat: >Fix: >Audit-Trail: From: Sam Hartman To: Unassigned Problem Report Cc: krb5-bugs@MIT.EDU Subject: Re: krb5-appl/111: ftpd may share bugs with BSD ftpd Date: Fri, 1 Nov 1996 18:44:11 -0500 `Sam Hartman' made changes to this PR. *** /tmp/gnatsa001VG Fri Nov 1 18:42:24 1996 --- /tmp/gnatsb001VG Fri Nov 1 18:43:43 1996 *************** *** 14,20 **** >Category: krb5-appl >Synopsis: ftpd may share bugs with BSD ftpd >Confidential: no ! >Severity: serious >Priority: low >Responsible: krb5-unassigned >State: open --- 14,20 ---- >Category: krb5-appl >Synopsis: ftpd may share bugs with BSD ftpd >Confidential: no ! >Severity: non-critical >Priority: low >Responsible: krb5-unassigned >State: open *************** *** 24,32 **** >Last-Modified: >Originator: >Organization: ! >Release: >Environment: >Description: >How-To-Repeat: >Fix: >Audit-Trail: --- 24,37 ---- >Last-Modified: >Originator: >Organization: ! >Release: beta-7 >Environment: >Description: + + We may share bugs with BSD FTPD that allow + shadow password to make their way into an ftpd core file. + I do not believe the srvtab is vulnerable. + >How-To-Repeat: >Fix: >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: mdh State-Changed-When: Fri Aug 7 00:09:48 1998 State-Changed-Why: Currently gssftpd does not have these bugs. I don't know whether they were fixed and not noted here or if the original PR was plain wrong. If the user is not logged in, passive() will not get called because of the logged_in flag. Currently ftp_popen() does bounds-check argc the first time through, and then hard-caps it with argv[MAX_ARGV-1]=NULL. >Unformatted: ------- Start of forwarded message ------- Resent-Date: Tue, 15 Oct 1996 19:52:47 +1000 Message-Id: Date: Tue, 15 Oct 1996 08:41:40 +0300 Reply-To: Vadim Kolontsov From: Vadim Kolontsov To: Multiple recipients of list BUGTRAQ Resent-Message-Id: <"PIZ7d2.0._h1.ywrOo"@suburbia> Resent-From: best-of-security@suburbia.net Resent-Sender: best-of-security-request@suburbia.net Subject: BoS: another two bugs in ftpd Hello, wuftpd can create core dump in two following situation too (yes, dump will contain some subset of shadowed passwords): 1) "pasv" given when user not logged in (caused by error in passive()) 2) more than 100 arguments to any executable command (for example, "list") (caused by error in ftpd_popen()) First error presents in almost all version of bsd's ftpd, wu-ftpd and derived. Second error presents in all versions of bsd's ftpd, wu-ftpd and derived (as far as I know). Bugfixes are simple. Checking for "pw != NULL" in first case, and checking for "argc < 100" in another one (see sources). Best regards, Vadim. P.S. By the way, who knows e-mail of wu-ftpd developer? Mail me, pls... -------------------------------------------------------------------------- Vadim Kolontsov SysAdm/Programmer Tver Regional Center of New Information Technologies Networks Lab ------- End of forwarded message -------