Last updated: Wednesday, 24-Mar-1999 23:32:10 EET
The vulnerability was analyzed by:
The insufficient bound checking may make possible executing abitary code on end systems. This "stack-mashing" has been popular as there are many exteded privileged programs and servers where are some errors in bounds checking.
If we succeed to execute abitary code, we can gain access to something we could not normally reach.
To be successful, we must be able to connect ftp servers. The second precondition is that there is some error in bounds checking in the ftp server program.
The attack can be launced from any location where we can make connections to the server. Finding the right location for the shell code can be tricky, but it is much easier if we can run debugger on the server - so we must have similar system on which to test on.
The unsuccesfull attacks can be spotted from the log enties; there can be some stange parameters. If attack has been successful and the intruider can clean all evidence the detection can be more difficult.
Storing logs on extrimeny well protected delicated machine can be for great help in detecting and tracing back the attack.
The best protection against this attack is to make sure that there is no errors in bound checking in the server program. In some cases the front end on firewall has been filtered too long arguments.
The server programs were tested with a program which sent abitary long commands to the server. The server process was simultaniously monitored with a tool (strace, truss, gdb). This cannot find any complicated overflows, as one described below
The Solaris 2.5 ftp server failed with segment violation on those tests; because there were no debugger that could attach to a running process it was not possible to study this further.
For the wu-2.4.2-academ[BETA-18] server (on RedHat Linux 5.2) there exists an exploit which enables root access if the account (even anonymous) can write on some directory.