Return-Path: owner-ftpd@jp.win.ne.jp Message-Id: <200006230910.e5N9An066792@koga.do.mms.mt.nec.co.jp> To: ftpd@jp.win.ne.jp Subject: [ftpd 680] wu-ftpd 2.6.0 remote root exploit X-Mailer: Mew version 1.94.2 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA) Mime-Version: 1.0 Content-Type: Text/Plain; charset=iso-2022-jp Content-Transfer-Encoding: 7bit Date: Fri, 23 Jun 2000 18:10:49 +0900 (JST) From: Koga Youichirou X-Dispatcher: imput version 20000228(IM140) Lines: 105 Sender: owner-ftpd@jp.win.ne.jp Reply-To: ftpd@jp.win.ne.jp X-Sequence: ftpd 680 Delivered-To: mailing list ftpd@jp.win.ne.jp Precedence: bulk wu-ftpd について、リモートから root 権限を奪える exploit コードが Bugtraq で流れ、それを受けて Debian から修正パッチが出た模様です。 http://security.debian.org/dists/potato/updates/main/source/wu-ftpd_2.6.0-5.1.diff.gz で、パッチとソースを眺めてみて、とりあえず必要な部分を拾って、さらに 動作的には影響ないかもしれないけれど、オリジナルから直した方がよさそう な個所を修正するパッチを送ります。[ftpd 674] の修正も含んでいます。 もしかしたら、Debian パッチからごっそり省略した部分で必要な処理がある かもしれません。その場合は、あしからずです。 Index: ftpcmd.y =================================================================== RCS file: /usr/cvs/src/wu-ftpd/src/ftpcmd.y,v retrieving revision 1.1.1.1 diff -u -r1.1.1.1 ftpcmd.y --- ftpcmd.y 1999/10/21 11:50:51 1.1.1.1 +++ ftpcmd.y 2000/06/23 08:19:30 @@ -1926,13 +1926,13 @@ } if (!maxfound) maxlines = defmaxlines; - lreply(200, cmd); + lreply(200, "%s", cmd); while (fgets(buf, sizeof buf, cmdf)) { size_t len = strlen(buf); if (len > 0 && buf[len - 1] == '\n') buf[--len] = '\0'; - lreply(200, buf); + lreply(200, "%s", buf); if (maxlines <= 0) ++lines; else if (++lines >= maxlines) { Index: ftpd.c =================================================================== RCS file: /usr/cvs/src/wu-ftpd/src/ftpd.c,v retrieving revision 1.1.1.1.2.10 diff -u -r1.1.1.1.2.10 ftpd.c --- ftpd.c 2000/03/17 02:01:57 1.1.1.1.2.10 +++ ftpd.c 2000/06/23 08:47:21 @@ -1606,9 +1606,9 @@ /* Display s/key challenge where appropriate. */ if (pwd == NULL || skeychallenge(&skey, pwd->pw_name, sbuf)) - sprintf(buf, "Password required for %s.", name); + snprintf(buf, 128, "Password required for %s.", name); else - sprintf(buf, "%s %s for %s.", sbuf, + snprintf(buf, 128, "%s %s for %s.", sbuf, pwok ? "allowed" : "required", name); return (buf); } @@ -2012,9 +2012,9 @@ s = strsep(&cp, "\n"); if (cp == NULL || *cp == '\0') break; - lreply(331, s); + lreply(331, "%s", s); } - reply(331, s); + reply(331, "%s", s); } else { #endif @@ -2495,7 +2495,7 @@ #ifdef BSD_AUTH if (ext_auth) { if ((salt = check_auth(the_user, passwd))) { - reply(530, salt); + reply(530, "%s", salt); #ifdef LOG_FAILED /* 27-Apr-93 EHK/BM */ syslog(LOG_INFO, "failed login from %s", remoteident); @@ -3160,7 +3160,7 @@ reply(230, "User %s logged in.%s", pw->pw_name, guest ? " Access restrictions apply." : ""); sprintf(proctitle, "%s: %s", remotehost, pw->pw_name); - setproctitle(proctitle); + setproctitle("%s", proctitle); if (logging) syslog(LOG_INFO, "FTP LOGIN FROM %s, %s", remoteident, pw->pw_name); /* H* mod: if non-anonymous user, copy it to "authuser" so everyone can @@ -5908,7 +5908,7 @@ remotehost[sizeof(remotehost) - 1] = '\0'; sprintf(proctitle, "%s: connected", remotehost); - setproctitle(proctitle); + setproctitle("%s", proctitle); wu_authenticate(); /* Create a composite source identification string, to improve the logging @@ -6318,7 +6318,7 @@ dirlist = ftpglob(whichfiles); sdirlist = dirlist; /* save to free later */ if (globerr != NULL) { - reply(550, globerr); + reply(550, "%s", globerr); goto globfree; } else if (dirlist == NULL) { ---- こがよういちろう