Bugtraq mailing list archives
Re: Pro/wuFTPD DoS
From: fygrave () TIGERTEAM NET (CyberPsychotic)
Date: Fri, 19 Feb 1999 19:56:59 +0500
~ Maybe you should repost your email to bugtraq because Aleph1 may not ~ have seen it (I think he is damn busy with 25000+ subscribers). ~ I think I will probably write it again, since I don't I have it saved somewhere. There's nothing fascinating actually. This seem to be a heap buffer overflow, which smashes pointers to the dirnames (thus you could probably get access to files outsite chrooted envinronment): Here's screenshot of gdb, attaching to running proftpd process before overflow took place: - --/gdb screenshot/--- Program received signal SIGSEGV, Segmentation fault. 0x4007c837 in strncpy (s1=0x41414141 <Address 0x41414141 out of bounds>, s2=0xbfffea88 'A' <repeats 186 times>, "/", 'A' <repeats 13 times>..., n=1094795585) at ../sysdeps/generic/strncpy.c:82 ../sysdeps/generic/strncpy.c:82: No such file or directory. (gdb) where #0 0x4007c837 in strncpy (s1=0x41414141 <Address 0x41414141 out of bounds>, s2=0xbfffea88 'A' <repeats 186 times>, "/", 'A' <repeats 13 times>..., n=1094795585) at ../sysdeps/generic/strncpy.c:82 #1 0x8057963 in fs_clean_path ( path=0x41414141 <Address 0x41414141 out of bounds>, buf=0x41414141 <Address 0x41414141 out of bounds>, maxlen=1094795585) at fs.c:776 #2 0x41414141 in ?? () Cannot access memory at address 0x41414141. (gdb) --/gdb screenshot/-- The overflow causes SIGSEGV in fs_clean_path() routine, but it happened in fs_dircat(), which eventualy overwrote pointers to path, and buf. I didn't have time to check whether 1.2.pre2 is vulneriable to this. (tested with 1.2.pre1 with patch appiled). hope this helps.. regards ~Fyodor -- http://www.kalug.lug.net/ PGP key: hkp://keys.pgp.com/cyberpsychotic http://www.kalug.lug.net/fygrave email:fygrave () tigerteam net "There are three kinds of people: men, women, and unix."
Current thread:
- Re: Pro/wuFTPD DoS Ultor (Feb 13)
- <Possible follow-ups>
- Re: Pro/wuFTPD DoS ga (Feb 15)
- Re: Pro/wuFTPD DoS CyberPsychotic (Feb 17)
- Re: Pro/wuFTPD DoS CyberPsychotic (Feb 19)
- Re: Pro/wuFTPD DoS Chris Wedgwood (Feb 20)
- Process table attack (from RISKS Digest) Mark Boolootian (Feb 20)
- LSOF exploit c0nd0r (Feb 21)
- Re: Process table attack (from RISKS Digest) Olle Segerdahl,D (Feb 22)
- Re: Process table attack (from RISKS Digest) Jan B. Koum (Feb 22)
- ANNOUNCE: Net::RawIP 0.06 has been released Sergey V. Kolychev (Feb 22)
- Summary: Copyright on Security advisories Aviram Jenik (Feb 22)
- Re: Process table attack (from RISKS Digest) Dug Song (Feb 22)
- NetBus client 1.x overflow Daniel Rosowski (Feb 22)
- Re: Process table attack (from RISKS Digest) James Lockwood (Feb 22)
- Re: Pro/wuFTPD DoS Chris Wedgwood (Feb 20)