Skip Menu |
 

Download (untitled) / with headers
text/plain 4.6KiB
From hartmans@MIT.EDU Tue Oct 15 13:00:46 1996
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id NAA29838 for <bugs@RT-11.MIT.EDU>; Tue, 15 Oct 1996 13:00:45 -0400
Received: from TERTIUS.MIT.EDU by MIT.EDU with SMTP
id AA22021; Tue, 15 Oct 96 13:00:38 EDT
Received: (from hartmans@localhost) by tertius.mit.edu (8.6.12/8.6.9) id MAA15482; Tue, 15 Oct 1996 12:59:34 -0400
Message-Id: <tslsp7g17uy.fsf@tertius.mit.edu>
Date: 15 Oct 1996 12:59:33 -0400
From: Sam Hartman <hartmans@MIT.EDU>
Sender: hartmans@MIT.EDU
To: krb5-bugs@MIT.EDU
Subject: [Vadim Kolontsov <vadim@tversu.ac.ru>] BoS: another two bugs in ftpd

Show quoted text
>Number: 111
>Category: krb5-appl
>Synopsis: ftpd may share bugs with BSD ftpd
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: krb5-unassigned
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Oct e 13:01:01 EDT 1996
>Last-Modified: Fri Aug 07 00:14:37 EDT 1998
>Originator:
>Organization:
>Release: beta-7
>Environment:
>Description:

We may share bugs with BSD FTPD that allow
shadow password to make their way into an ftpd core file.
I do not believe the srvtab is vulnerable.

Show quoted text
>How-To-Repeat:
>Fix:
>Audit-Trail:

From: Sam Hartman <hartmans@MIT.EDU>
To: Unassigned Problem Report <krb5-unassigned@RT-11.MIT.EDU>
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-appl/111: ftpd may share bugs with BSD ftpd
Date: Fri, 1 Nov 1996 18:44:11 -0500

`Sam Hartman' made changes to this PR.

*** /tmp/gnatsa001VG Fri Nov 1 18:42:24 1996
--- /tmp/gnatsb001VG Fri Nov 1 18:43:43 1996
***************
*** 14,20 ****
Show quoted text
>Category: krb5-appl
>Synopsis: ftpd may share bugs with BSD ftpd
>Confidential: no
! >Severity: serious
Show quoted text
>Priority: low
>Responsible: krb5-unassigned
>State: open
--- 14,20 ----
Show quoted text
>Category: krb5-appl
>Synopsis: ftpd may share bugs with BSD ftpd
>Confidential: no
! >Severity: non-critical
Show quoted text
>Priority: low
>Responsible: krb5-unassigned
>State: open
***************
*** 24,32 ****
Show quoted text
>Last-Modified:
>Originator:
>Organization:
! >Release:
Show quoted text
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:
--- 24,37 ----
Show quoted text
>Last-Modified:
>Originator:
>Organization:
! >Release: beta-7
Show quoted text
>Environment:
>Description:
+
+ We may share bugs with BSD FTPD that allow
+ shadow password to make their way into an ftpd core file.
+ I do not believe the srvtab is vulnerable.
+
Show quoted text
>How-To-Repeat:
>Fix:
>Audit-Trail:

State-Changed-From-To: open-closed
State-Changed-By: mdh
State-Changed-When: Fri Aug 7 00:09:48 1998
State-Changed-Why:

Currently gssftpd does not have these bugs. I don't know whether they were
fixed and not noted here or if the original PR was plain wrong. If the user
is not logged in, passive() will not get called because of the logged_in
flag. Currently ftp_popen() does bounds-check argc the first time through,
and then hard-caps it with argv[MAX_ARGV-1]=NULL.

Show quoted text
>Unformatted:

Show quoted text
------- Start of forwarded message -------
Resent-Date: Tue, 15 Oct 1996 19:52:47 +1000
Message-Id: <Pine.NEB.3.95.961015083231.10753B-100000@mailserv.tversu.ac.ru>
Date: Tue, 15 Oct 1996 08:41:40 +0300
Reply-To: Vadim Kolontsov <vadim@tversu.ac.ru>
From: Vadim Kolontsov <vadim@tversu.ac.ru>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
Resent-Message-Id: <"PIZ7d2.0._h1.ywrOo"@suburbia>
Resent-From: best-of-security@suburbia.net
Resent-Sender: best-of-security-request@suburbia.net
Subject: BoS: another two bugs in ftpd

Hello,

wuftpd can create core dump in two following situation too (yes, dump
will contain some subset of shadowed passwords):

1) "pasv" given when user not logged in
(caused by error in passive())

2) more than 100 arguments to any executable command (for example, "list")
(caused by error in ftpd_popen())

First error presents in almost all version of bsd's ftpd, wu-ftpd and
derived. Second error presents in all versions of bsd's ftpd, wu-ftpd and
derived (as far as I know).
Bugfixes are simple. Checking for "pw != NULL" in first case, and
checking for "argc < 100" in another one (see sources).

Best regards, Vadim.

P.S. By the way, who knows e-mail of wu-ftpd developer? Mail me, pls...
--------------------------------------------------------------------------
Vadim Kolontsov SysAdm/Programmer
Tver Regional Center of New Information Technologies Networks Lab

------- End of forwarded message -------