wuftpd v2.6.2 skey stack overflow vulnerability
 by <michael@scanit.be>

 -------------------------------------------------------------------------- 
 
 Affected:     Washington University FTP deamon, version 2.6.2 and 
               possibly below (not tested), with SKEY support enabled.
               
 Not affected: NetBSD machines running wu-ftpd
 
 Impact:  Severe (remote code execution) if skey support is enabled.

 
 General:
 --------
 
 The Washington University FTP deamon (hereafter reffered to as "wuftpd") is
 a replacement FTP server for POSIX systems.  Wuftpd supports skey
 authentication to provide secure logins.  However, the code that 'handles'
 this has an exploitable stack based buffer overflow.   Providing specially
 crafted authentication credentials, it is possible to crash the deamon or
 execute user-supplied code, running with root privileges.

        
 Technical details:
 ------------------
 
 A statically allocated buffer is filled using the sprintf() function in the
 skey_challenge() function (src/ftpd.c).  
 
 char *skey_challenge(char *name, struct passwd *pwd, int pwok)         
 {                                                               
     static char buf[128];
     ...
     if (pwd == NULL || skeychallenge(&skey, pwd->pw_name, sbuf))    
         sprintf(buf, "Password required for %s.", name);
     else
	 sprintf(buf, "%s %s for %s.", sbuf,
		 pwok ? "allowed" : "required", name);
     return (buf);
 }

 The variable *name is never subject to any boundries checking.
 
 It is possible to write beyond the buf[] array, overwriting the return address
 of the function, modifying the path of execution flow.
 
  
 Fix/Workaround:
 ---------------

 To protect you from this vulnerability, disable skey support, or apply 
 the following patch:

 --- ftpd.c      2001-11-29 17:56:11.000000000 +0100
 +++ ftpd.c        2003-10-20 20:43:58.000000000 +0200
 @@ -1662,9 +1662,9 @@
      /* Display s/key challenge where appropriate. */
  
      if (pwd == NULL || skeychallenge(&skey, pwd->pw_name, sbuf))
 -       sprintf(buf, "Password required for %s.", name);
 +       snprintf(buf, 128-1, "Password required for %s.", name);
      else
 -       sprintf(buf, "%s %s for %s.", sbuf,
 +       snprintf(buf, 128-1, "%s %s for %s.", sbuf,
                 pwok ? "allowed" : "required", name);
      return (buf);
  }
 

 This information has been provided by Michael Hendrickx <michael@scanit.be>