|
|
|
|
| |
| There's an overflow in wu-ftpd 2.5 and prior releases (including VR and BeroFTPD) in mapped_path when mapping current working directory to command-line. The exploit code hasn't been released yet, so that the author of the programs will have time to patch their programs against such an attack. A temporary patch has been provided bellow. |
| |
Credit:
This vulnerability and patch have been reported by: Michal Zalewski.
|
| |
The following patch fixes the above vulnerability in the wu-ftpd 2.5 ftp daemon:
*** ftpd.c Sun Jun 6 15:20:21 1999
--- ftpd_patched.c Sun Jun 6 15:15:03 1999
***************
*** 1245,1251 ****
/* append the dir part with a leading / unless at root */
if( !(mapped_path[0] == '/' && mapped_path[1] == '\0') )
strcat( mapped_path, "/" );
! strcat( mapped_path, dir );
}
int
--- 1245,1254 ----
/* append the dir part with a leading / unless at root */
if( !(mapped_path[0] == '/' && mapped_path[1] == '\0') )
strcat( mapped_path, "/" );
! if ( strlen(mapped_path) + strlen (dir) < 4095 )
! strcat( mapped_path, dir );
! else
! syslog(LOG_ERR, "FTP mapped_path attack ");
}
int
|
|
|
|
|
|
|
|
|
|
