Bugtraq mailing list archives
Re[2]: Solaris telnet vulnberability - how many on your network?
From: "Steven M. Christey" <coley () mitre org>
Date: Thu, 22 Feb 2007 17:15:21 -0500 (EST)
Cromar Scott said:
I know that my initial reaction was "haven't I seen this before?" but the above two are what I found in my notes when I looked back.
There are at least 20 FTP server implementations that have had buffer overflows with a long USER command. HTTP GET directory traversals are probably not that far behind. Thierry Zoller said:
a very simple exploit, which does not require any code to be compiled by an attacker, exists. The exploit requires the attacker to simply define the environment variable TTYPROMPT to a 6 character string, inside telnet. I believe this overflows an integer inside login, which specifies whether or not the user has been authenticated (just a guess).
As buffer overflow protection schemes get stronger, I would expect to see more of these "data-driven" attacks that target adjacent data instead of the stack or the heap. It's all about how important the adjacent data is and when it's accessed. The overflow in CVE-2004-1291 was used to turn a server into a spam relay, for example. Presumably, data-driven attacks are being done by Windows researchers already? I don't usually study overflows down to that level of detail. To get the same effect in Perl, you could exploit a format string vulnerability in a Perl application by causing the *printf to write to shifted arguments (see my white paper from some time back), but that's probably pretty rare in the wild for the handful of people who bother to look. - Steve
Current thread:
- RE: Solaris telnet vulnberability - how many on your network?, (continued)
- RE: Solaris telnet vulnberability - how many on your network? Michael Wojcik (Feb 20)
- RE: Solaris telnet vulnberability - how many on your network? Nate Eldredge (Feb 20)
- Re: Solaris telnet vulnberability - how many on your network? Edsel Adap (Feb 21)
- Re: Solaris telnet vulnberability - how many on your network? Cromar Scott (Feb 17)
- Re: Re: Re: Solaris telnet vulnberability - how many on your network? Gadi Evron (Feb 17)
- Re[2]: Solaris telnet vulnberability - how many on your network? Thierry Zoller (Feb 22)
- RE: Re[2]: Solaris telnet vulnberability - how many on your network? Roger A. Grimes (Feb 22)