SUMARY: FTPD daemon

From: Eric Arney <Eric-Arney_at_ouhsc.edu>
Date: Wed, 12 Jul 2000 09:38:53 -0500

Thanks to the three people who replied. Most of the replies said to install
wu-ftp. Here are two of the replies.
 
Eric Arney wrote:
>
> My question is in reference to the "Advisory CA-2000-13 Two Input
Validation
> Problems In FTPD" is True 64 included in this? If so is there a patch for
> this? Sorry I'm pretty new to the true-64 4.0d and 4.0f Unix and any info
on
> where the FTPD came from would be great. Thanks.
 
The advisory doesn't mention T64. It could be that FTPD included with
T64 is a "DEC brand" and has no such bugs.
 
Nix.

-- 
"An expert is a man who has made all the mistakes which can be made in
 a very narrow field" - Niels Bohr
 
Excue me for my bad english, firstly. If you use any wuftpd or BSD 
(proftpd, beroftpd, etc.) derived ftp daemon you can potentially be object 
of attacks. But i think that's only theory; that exploits can be attacked 
only with one valid username/password for your ftp server; exploit code for 
the two security bugs is not public (hummm ... for site_exec vulnerability 
it exist but is broken; for setproctitle() exist nothing public). At the 
end ... all code released is valid ONLY for x86 executable stack. I 
strongly recommend you to upgrade to wu-ftpd 2.6.1 from 
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.gz
<ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.gz> 
 
If you have an old wu-ftpd academ (wu-ftpd < 2.5.0) here is a patch to 
workaround the problem (you can use it with diff); if you have a new 
wu-ftpd (2.6.0) you can upgrade to 2.6.1 or still patch it referring to 
www.wuftpd.org <http://www.wuftpd.org>  or its ftp.
 
     --- src/ftpcmd.y.orig       Tue Jun 27 16:57:36 2000
     +++ src/ftpcmd.y    Tue Jun 27 17:00:42 2000
     _at__at_ -1590,13 +1590,13 _at__at_
          } else {
              int lines = 0;
 
     -        lreply(200, cmd);
     +   lreply(200, "%s", cmd);
              while (fgets(buf, sizeof buf, cmdf)) {
                  int len = strlen(buf);
 
                  if (len>0 && buf[len-1]=='\n')
                      buf[--len] = '\0';
     -            lreply(200, buf);
     +       lreply(200, "%s", buf);
                  if (++lines >= 20) {
                      lreply(200, "*** Truncated ***");
                      break;
 
     --- src/ftpd.c.orig Tue Jun 27 17:05:30 2000
     +++ src/ftpd.c      Tue Jun 27 17:06:37 2000
     _at__at_ -1775,7 +1775,7 _at__at_
              reply(230, "User %s logged in.%s", pw->pw_name, guest ?
                    "  Access restrictions apply." : "");
              sprintf(proctitle, "%s: %s", remotehost, pw->pw_name);
     -        setproctitle(proctitle);
     +   setproctitle("%s", proctitle);
              if (logging)
                  syslog(LOG_INFO, "FTP LOGIN FROM %s [%s], %s",
                         remotehost, remoteaddr, pw->pw_name);
     _at__at_ -3337,7 +3337,7 _at__at_
 
          remotehost[sizeof(remotehost)-1]='\0';
          sprintf(proctitle, "%s: connected", remotehost);
     -    setproctitle(proctitle);
     +    setproctitle("%s", proctitle);
 
      #if 0      /* this is redundant unless the caller doesn't do 
*anything*, and
                tcpd will pick it up and deal with it better anyways. _H*/
 
Signed,
Paolo

Received on Wed Jul 12 2000 - 14:39:47 NZST