Numerous holes in FTP server for Mac [update]
The Month of Apple Bugs has made public a number of vulnerabilities in Rumpus, an FTP server for Mac. According to a security advisory, rumpusd contains vulnerabilities for heap overflows, DoS holes, and privilege escalation. The heap overflows can even allegedly be used to penetrate a system over the net. As the service runs with root privileges, intruders would then have complete control of your Mac. The security advisory says that most of the holes are due to problems concerning the parsing of FTP and HTTP queries as well as the insecure use of the system() function. In addition, the privileges are improperly set to setuid binaries. These vulnerabilities affect the current version 5.1 of Rumpus and previous ones running on Mac OS X for PowerPC and Intel. No update has yet been made available.
Meanwhile the MOAB team has started to discredit itself. Whoever tries to access a not yet released security advisory by guessing filenames will be confronted with extremely revolting pornographic images included from an external website. (We strongly recommend that people do not try and find this) In addition, the web page will attempt to open an IRC client that may be installed and register it in a Mac developer channel. Furthermore, a number of e-mail windows will open up containing Rosyna Keller as the addressee, one of the members of the MOAB Fix Group and a codeveloper of the Application Enhancer (APE).
In doing this, the initiators of the MOAB, LMH and Kevin Finisterre are giving critics even more reason to accuse them of childish behaviour. They have already been criticized for promoting themselfs rather than trying to draw attention to real security problems. Developers who have tried to solve the problems have reportedly been attacked or ridiculed. All in all it looks as if there is only a very thin layer of professionality covering rather selfish and childish characters.
In a mail to heise Security LMH rejects accusations of selfish and childish behaviour as "defamation". He wrote: "You are not supposed to 'guess' next day release", and that heise Security is "caught with the hand in the cookie jar". Regarding the "certainly disgusting images" that were displayed on his site, he states that "no offense is meant". Anyhow, the team has replaced the offending pages with one that only displays a simple error message.
- Rumpus Multiple Vulnerabilities, MOAB's security advisory