[Previo por Fecha] [Siguiente por Fecha] [Previo por Hilo] [Siguiente por Hilo]
[Hilos de Discusión] [Fecha] [Tema] [Autor]Aguas... (lo mando con todos los remitentes). ---------- Forwarded message ---------- Date: Thu, 28 Sep 2000 09:33:20 -0700 From: Elias Levy <aleph1 en SECURITYFOCUS COM> To: INCIDENTS en SECURITYFOCUS COM Subject: another wu-ftpd exploit Return-Path: <owner-bugtraq en securityfocus com> Delivered-To: bugtraq en lists securityfocus com Received: from securityfocus.com (mail.securityfocus.com [207.126.127.78]) by lists.securityfocus.com (Postfix) with SMTP id 8896124CC5B for <bugtraq en lists securityfocus com>; Wed, 27 Sep 2000 22:22:50 -0700 (PDT) Received: (qmail 22592 invoked by alias); 28 Sep 2000 05:24:40 -0000 Delivered-To: bugtraq en securityfocus com Received: (qmail 22580 invoked from network); 28 Sep 2000 05:24:40 -0000 Received: from adsl-64-222-80-8.bellatlantic.net (HELO bunta.alpinista.phrozen.org) (64.222.80.8) by mail.securityfocus.com with SMTP; 28 Sep 2000 05:24:39 -0000 Received: from ath.alpinista.phrozen.org (ath.alpinista.phrozen.org [192.168.1.4]) by bunta.alpinista.phrozen.org (8.9.3/8.8.7) with SMTP id BAA05957; Thu, 28 Sep 2000 01:29:26 -0400 From: George Bakos <alpinista en bigfoot com> Organization: EWA-IIT To: info en sans org, bugtraq en securityfocus com Subject: another wu-ftpd exploit Date: Thu, 28 Sep 2000 01:26:14 -0400 X-Mailer: KMail [version 1.1.61] Content-Type: text/plain MIME-Version: 1.0 Message-Id: <00092801261400 11851 en ath alpinista phrozen org> Content-Transfer-Encoding: 8bit Yesterday www.hack.co.za made available yet another format string stack overwrite exploit for wu-ftpd 2.6.0-*. I have seen an increased level of scanning for port 21 in the past 36 hours, no doubt attributable to this latest SITE EXEC vulnerability. This problem is previously addressed by bugtraq id 1387 and CERT/CC CA-2000-13 http://www.cert.org/advisories/CA-2000-13.html The new tool (wu-lnx.c) in the lab against Mandrake 7.1 and RH 6.0 shows limited success as well as 100% effectiveness against RH 6.2. Version 2.6.1 does not appear vulnerable. A preliminary scrub of the code and traces indicated that user data supplied via the PASS command is stuffed with shellcode and a SITE EXEC then overwrites a stack pointer to call it. The following is an entry left in /var/log/messages on the target box. Note the last line. Sep 28 02:46:25 drteeth ftpd[14989]: ANONYMOUS FTP LOGIN FROM grover.tester.org [192.168.222.1], ? 1À1Û1É°FÍ€1À1ÛC‰ÙA°? Í€ëk^1À1É^^AˆF^Df¹ÿ^A°'Í€1À^^A°=Í€1À1Û^^H‰C^B1ÉþÉ1À^^ H°^LÍ€þÉuó1ÀˆF^I^^H°=Í€þ^N°0þȈF^D1ÀˆF^G‰v^H‰F^L‰óN^H V^L°^KÍ€1À1Û°^AÍ€èÿÿÿ0bin0sh1..11 As the parent service (inetd) is not affected, here may be no external indication that a site has been attacked. Additionally, this is not a buffer overflow, and no process will exit unexpectedly. Ndiff and similar techniques will fail to detect any changes in the status of listening inet ports on exploited systems. This is another incarnation of a very serious vulnerability. If you are running wu-ftpd 2.60-*, it is advised that you upgrade to the 2.6.1 release. George Bakos Systems Security Engineer EWA-IIT alpinista en bigfoot com ----- End forwarded message ----- -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum --------------------------------------------------------- para salir de la lista, enviar un mensaje con las palabras "unsubscribe ayuda" en el cuerpo a majordomo en linux org mx