Return-Path: owner-ftpd@jp.win.ne.jp
Message-Id: <200006230910.e5N9An066792@koga.do.mms.mt.nec.co.jp>
To: ftpd@jp.win.ne.jp
Subject: [ftpd 680] wu-ftpd 2.6.0 remote root exploit
X-Mailer: Mew version 1.94.2 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Fri, 23 Jun 2000 18:10:49 +0900 (JST)
From: Koga Youichirou <y-koga@mms.mt.nec.co.jp>
X-Dispatcher: imput version 20000228(IM140)
Lines: 105
Sender: owner-ftpd@jp.win.ne.jp
Reply-To: ftpd@jp.win.ne.jp
X-Sequence: ftpd 680
Delivered-To: mailing list ftpd@jp.win.ne.jp
Precedence: bulk

wu-ftpd について、リモートから root 権限を奪える exploit コードが 
Bugtraq で流れ、それを受けて Debian から修正パッチが出た模様です。

http://security.debian.org/dists/potato/updates/main/source/wu-ftpd_2.6.0-5.1.diff.gz

で、パッチとソースを眺めてみて、とりあえず必要な部分を拾って、さらに
動作的には影響ないかもしれないけれど、オリジナルから直した方がよさそう
な個所を修正するパッチを送ります。[ftpd 674] の修正も含んでいます。

もしかしたら、Debian パッチからごっそり省略した部分で必要な処理がある
かもしれません。その場合は、あしからずです。

Index: ftpcmd.y
===================================================================
RCS file: /usr/cvs/src/wu-ftpd/src/ftpcmd.y,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 ftpcmd.y
--- ftpcmd.y	1999/10/21 11:50:51	1.1.1.1
+++ ftpcmd.y	2000/06/23 08:19:30
@@ -1926,13 +1926,13 @@
 	}
 	if (!maxfound)
 	    maxlines = defmaxlines;
-	lreply(200, cmd);
+	lreply(200, "%s", cmd);
 	while (fgets(buf, sizeof buf, cmdf)) {
 	    size_t len = strlen(buf);
 
 	    if (len > 0 && buf[len - 1] == '\n')
 		buf[--len] = '\0';
-	    lreply(200, buf);
+	    lreply(200, "%s", buf);
 	    if (maxlines <= 0)
 		++lines;
 	    else if (++lines >= maxlines) {
Index: ftpd.c
===================================================================
RCS file: /usr/cvs/src/wu-ftpd/src/ftpd.c,v
retrieving revision 1.1.1.1.2.10
diff -u -r1.1.1.1.2.10 ftpd.c
--- ftpd.c	2000/03/17 02:01:57	1.1.1.1.2.10
+++ ftpd.c	2000/06/23 08:47:21
@@ -1606,9 +1606,9 @@
     /* Display s/key challenge where appropriate. */
 
     if (pwd == NULL || skeychallenge(&skey, pwd->pw_name, sbuf))
-	sprintf(buf, "Password required for %s.", name);
+	snprintf(buf, 128, "Password required for %s.", name);
     else
-	sprintf(buf, "%s %s for %s.", sbuf,
+	snprintf(buf, 128, "%s %s for %s.", sbuf,
 		pwok ? "allowed" : "required", name);
     return (buf);
 }
@@ -2012,9 +2012,9 @@
 	    s = strsep(&cp, "\n");
 	    if (cp == NULL || *cp == '\0')
 		break;
-	    lreply(331, s);
+	    lreply(331, "%s", s);
 	}
-	reply(331, s);
+	reply(331, "%s", s);
     }
     else {
 #endif
@@ -2495,7 +2495,7 @@
 #ifdef BSD_AUTH
 	if (ext_auth) {
 	    if ((salt = check_auth(the_user, passwd))) {
-		reply(530, salt);
+		reply(530, "%s", salt);
 #ifdef LOG_FAILED		/* 27-Apr-93      EHK/BM          */
 		syslog(LOG_INFO, "failed login from %s",
 		       remoteident);
@@ -3160,7 +3160,7 @@
 	reply(230, "User %s logged in.%s", pw->pw_name, guest ?
 	      "  Access restrictions apply." : "");
 	sprintf(proctitle, "%s: %s", remotehost, pw->pw_name);
-	setproctitle(proctitle);
+	setproctitle("%s", proctitle);
 	if (logging)
 	    syslog(LOG_INFO, "FTP LOGIN FROM %s, %s", remoteident, pw->pw_name);
 /* H* mod: if non-anonymous user, copy it to "authuser" so everyone can
@@ -5908,7 +5908,7 @@
 
     remotehost[sizeof(remotehost) - 1] = '\0';
     sprintf(proctitle, "%s: connected", remotehost);
-    setproctitle(proctitle);
+    setproctitle("%s", proctitle);
 
     wu_authenticate();
 /* Create a composite source identification string, to improve the logging
@@ -6318,7 +6318,7 @@
 	dirlist = ftpglob(whichfiles);
 	sdirlist = dirlist;	/* save to free later */
 	if (globerr != NULL) {
-	    reply(550, globerr);
+	    reply(550, "%s", globerr);
 	    goto globfree;
 	}
 	else if (dirlist == NULL) {

----
こがよういちろう