another wu-ftpd exploit (fwd)
Lic. Rodolfo Gonzalez Gonzalez
rgg en solarium.cs.buap.mx
Lun Oct 2 16:28:37 CDT 2000
Aguas... (lo mando con todos los remitentes).
---------- Forwarded message ----------
Date: Thu, 28 Sep 2000 09:33:20 -0700
From: Elias Levy <aleph1 en SECURITYFOCUS.COM>
To: INCIDENTS en SECURITYFOCUS.COM
Subject: another wu-ftpd exploit
Return-Path: <owner-bugtraq en securityfocus.com>
Delivered-To: bugtraq en lists.securityfocus.com
Received: from securityfocus.com (mail.securityfocus.com [207.126.127.78])
by lists.securityfocus.com (Postfix) with SMTP id 8896124CC5B
for <bugtraq en lists.securityfocus.com>; Wed, 27 Sep 2000 22:22:50 -0700 (PDT)
Received: (qmail 22592 invoked by alias); 28 Sep 2000 05:24:40 -0000
Delivered-To: bugtraq en securityfocus.com
Received: (qmail 22580 invoked from network); 28 Sep 2000 05:24:40 -0000
Received: from adsl-64-222-80-8.bellatlantic.net (HELO bunta.alpinista.phrozen.org) (64.222.80.8)
by mail.securityfocus.com with SMTP; 28 Sep 2000 05:24:39 -0000
Received: from ath.alpinista.phrozen.org (ath.alpinista.phrozen.org [192.168.1.4])
by bunta.alpinista.phrozen.org (8.9.3/8.8.7) with SMTP id BAA05957;
Thu, 28 Sep 2000 01:29:26 -0400
From: George Bakos <alpinista en bigfoot.com>
Organization: EWA-IIT
To: info en sans.org, bugtraq en securityfocus.com
Subject: another wu-ftpd exploit
Date: Thu, 28 Sep 2000 01:26:14 -0400
X-Mailer: KMail [version 1.1.61]
Content-Type: text/plain
MIME-Version: 1.0
Message-Id: <00092801261400.11851 en ath.alpinista.phrozen.org>
Content-Transfer-Encoding: 8bit
Yesterday www.hack.co.za made available yet another format string stack
overwrite exploit for wu-ftpd 2.6.0-*. I have seen an increased level of
scanning for port 21 in the past 36 hours, no doubt attributable to this
latest SITE EXEC vulnerability.
This problem is previously addressed by bugtraq id 1387 and CERT/CC
CA-2000-13 http://www.cert.org/advisories/CA-2000-13.html
The new tool (wu-lnx.c) in the lab against Mandrake 7.1 and RH 6.0 shows
limited success as well as 100% effectiveness against RH 6.2. Version 2.6.1
does not appear vulnerable.
A preliminary scrub of the code and traces indicated that user data supplied
via the PASS command is stuffed with shellcode and a SITE EXEC then
overwrites a stack pointer to call it.
The following is an entry left in /var/log/messages on the target box. Note
the last line.
Sep 28 02:46:25 drteeth ftpd[14989]: ANONYMOUS FTP LOGIN FROM
grover.tester.org [192.168.222.1],
?
1À1Û1É°FÍ€1À1ÛC‰ÙA°?
Í€ëk^1À1É^^AˆF^Df¹ÿ^A°'Í€1À^^A°=Í€1À1Û^^H‰C^B1ÉþÉ1À^^
H°^LÍ€þÉuó1ÀˆF^I^^H°=Í€þ^N°0þȈF^D1ÀˆF^G‰v^H‰F^L‰óN^H
V^L°^KÍ€1À1Û°^AÍ€èÿÿÿ0bin0sh1..11
As the parent service (inetd) is not affected, here may be no external
indication that a site has been attacked. Additionally, this is not a buffer
overflow, and no process will exit unexpectedly. Ndiff and similar
techniques will fail to detect any changes in the status of listening inet
ports on exploited systems.
This is another incarnation of a very serious vulnerability. If you are
running wu-ftpd 2.60-*, it is advised that you upgrade to the 2.6.1 release.
George Bakos
Systems Security Engineer
EWA-IIT
alpinista en bigfoot.com
----- End forwarded message -----
--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
---------------------------------------------------------
para salir de la lista, enviar un mensaje con las palabras
"unsubscribe ayuda" en el cuerpo a majordomo en linux.org.mx
Más información sobre la lista de distribución Ayuda