From owner-doc-jp@jp.freebsd.org  Mon Jul 10 12:46:05 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id MAA75571;
	Mon, 10 Jul 2000 12:46:05 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from TYO202.gate.nec.co.jp (TYO202.gate.nec.co.jp [202.247.6.41])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id MAA75566
	for <doc-jp@jp.freebsd.org>; Mon, 10 Jul 2000 12:46:05 +0900 (JST)
	(envelope-from y-koga@jp.FreeBSD.org)
Received: from mailsv4.nec.co.jp (mailsv4-le1 [192.168.1.93])
	by TYO202.gate.nec.co.jp (8.9.3/3.7W00052210) with ESMTP id MAA19383
	for <doc-jp@jp.freebsd.org>; Mon, 10 Jul 2000 12:46:04 +0900 (JST)
Received: from mmssv.mms.mt.nec.co.jp (mmssv.mms.mt.nec.co.jp [133.201.63.216]) by mailsv4.nec.co.jp (8.9.3/3.7W-MAILSV4-NEC) with ESMTP
	id MAA09714 for <doc-jp@jp.freebsd.org>; Mon, 10 Jul 2000 12:46:04 +0900 (JST)
Received: from koga.do.mms.mt.nec.co.jp (koga.do.mms.mt.nec.co.jp [10.16.5.16]) by mmssv.mms.mt.nec.co.jp (8.8.4+2.7Wbeta4/3.4W3MMS96052011) with ESMTP id MAA13330 for <doc-jp@jp.freebsd.org>; Mon, 10 Jul 2000 12:40:00 +0900 (JST)
Received: from localhost (localhost [127.0.0.1])
	by koga.do.mms.mt.nec.co.jp (8.10.2/3.7W-00052406) with ESMTP id e6A3k1n02013;
	Mon, 10 Jul 2000 12:46:01 +0900 (JST)
Message-Id: <200007100346.e6A3k1n02013@koga.do.mms.mt.nec.co.jp>
To: doc-jp@jp.freebsd.org
In-Reply-To: <200007091525.AAA25085@sta.att.ne.jp>
References: <20000705230939.CF9F237BB66@hub.freebsd.org>
	<200007091525.AAA25085@sta.att.ne.jp>
	<200007091908.EAA06099@mail.geocities.co.jp>
X-Mailer: Mew version 1.94.2 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Mon, 10 Jul 2000 12:46:01 +0900 (JST)
From: Koga Youichirou <y-koga@jp.freebsd.org>
X-Dispatcher: imput version 20000228(IM140)
Lines: 59
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7515
Subject: [doc-jp 7515] Re: ANNOUNCE: FreeBSD Ports Security Advisory:
 FreeBSD-SA-00:29.wu-ftpd
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: y-koga@jp.freebsd.org

"Iwakuni, Tomohiko" <iwac@sta.att.ne.jp>:
> $B!!$3$s$P$s$O!"4dT"$G$9!#(B
> $B!!Lu$7$F$_$^$7$?!#59$7$/$*4j$$$7$^$9!#(B

$B$Q$A$Q$A$Q$A!y(B

> =============================================================================
> FreeBSD-SA-00:29                                           Security Advisory
$B!D(B $B$5$/$C$HN,(B $B!D(B
> $B1F6AHO0O(B:       Ports collection.

$B%T%j%*%I<h$j$^$7$g$&$+!#(B

> Vendor status:  Contacted
> $B%Y%s%@$NBP1~(B:   $B%Y%s%@$KLdBj$r9pCN:Q$_(B

contact $B$r$7$?$N$O(B FreeBSD $B$N%A!<%`$8$c$J$$$h$&$J!D(B

> I.   $BGX7J(B - Background
>  wu-ftpd is a popular FTP server.
>  wu-ftpd$B$O?M5$$N$"$k(BFTP$B%5!<%P$G$9(B.

$B!V%5!<%P%W%m%0%i%`!W$K$7$?J}$,$$$$$+$b!#(B

> I.  $BLdBj$N>\:Y(B - Problem Description
> > The wu-ftpd port, versions 2.6.0 and below, contains a vulnerability
> > which allows remote anonymous FTP users to execute arbitrary code as
> > root on the local machine, by inserting string-formatting operators
> > into command input, which are incorrectly parsed by the FTP server.
> wu-ftpd$B$N(Bport($B%P!<%8%g%s(B2.6.0$B$*$h$S$=$l0J2<(B)$B$O%;%-%e%j%F%#>e$N<eE@(B
> $B$,$"$j$^$9(B.$BJ8;zNs7A<0$N%*%Z%l!<%?$r%3%^%s%IF~NO$KA^F~$9$k;v$K$h$C$F(B
> ,FTP$B%5!<%P$O4V0c$C$?%Q!<%9$r$7$^$9(B.$B$=$N$3$H$K$h$j(B,$B%j%b!<%H$NF?L>(BFTP
> $B%f!<%6$O(B,$B%k!<%H8"8B$H$7$F$=$N%m!<%+%k%^%7%s>e$GG$0U$N%3!<%I$,<B9T$G(B
> $B$-$k$h$&$K$J$j$^$9(B.
>  |wu-ftpd $B$N(B port ($B%P!<%8%g%s(B 2.6.0 $B$*$h$S$=$l0JA0$N$b$N(B) $B$K$O(B,
>  |$B%j%b!<%H$N(B anonymous FTP $B%f!<%6$,%m!<%+%k%^%7%s>e$N(B root $B8"8B$G(B
>  |$BG$0U$N%3!<%I$r<B9T$G$-$k$H$$$&%;%-%e%j%F%#>e$N<eE@$,$"$j$^$9(B.
>  |$B%3!<%I$N<B9T$O(B, $B%3%^%s%IF~NO$K(B FTP $B%5!<%P$,@5$7$/2r@O$G$-$J$$$h$&$J(B
>  |$BJ8;zNs7A<0$N1i;;;R$rF~$l$k$3$H$G2DG=$H$J$j$^$9(B.

$B$"$!!"$3$l$O86J8$,0-$$!#(Banonymous $B$K8B$i$:!"%m%0%$%s2DG=$J%f!<%6$J$iC/(B
$B$G$b$G$9!#(Banonymous $B$N>l9g$O%f!<%6$NG'>Z$,;v<B>e0UL#$,$J$$$N$G!"FC$K4m(B
$B81$@$H$$$&$@$1$G$9!#LuCpF~$l$^$7$g$&!#(B

$B$"$H!"$3$3$G$$$&(B string-formatting operators $B$O!"(Bprintf() $B$J$s$+$G;H$o(B
$B$l$k%U%)!<%^%C%F%#%s%0J8;zNs(B ($B$?$H$($P(B "%s") $B$N$3$H$G$9!#(BJIS $B$G$O$J$s(B
$B$FLu$9$s$@$C$1!)(B

> III. $B1F6AHO0O(B - Impact
> > Remote anonymous FTP users can cause arbitrary commands to be executed
> > as root on the local machine.
> $B%j%b!<%H$NF?L>(BFTP $B%f!<%6$,%m!<%+%k%^%7%s>e$G%k!<%H8"8B$H$7$FG$0U$N%3%^%s%I(B
> $B$r<B9T$9$k$3$H$,2DG=$G$9(B.
>  |$B%j%b!<%H$N(B anonymous FTP $B%f!<%6$,%m!<%+%k%^%7%s>e$N(B root $B8"8B$G(B
>  |$BG$0U$N%3%^%s%I$r<B9T$9$k$3$H$,2DG=$G$9(B.

$B$H$$$&$o$1$G!"$3$3$bLuCp$G$9$M!#(B
----
$B$3$,$h$&$$$A$m$&(B
