Vulnerability Development mailing list archives

Re: compress(vul) + ftpd(?)

From: Gushterul <emild () sinaia globtel ro>
Date: Tue, 12 Mar 2002 14:02:20 +0200 (EET)

You can test with macdef
macdef 1
get /*/*/*/*/1.Z
$1

Gushterul

On Mon, 11 Mar 2002, Pavel Kankovsky wrote:

On Sat, 9 Mar 2002, H D Moore wrote:

ftp> mkdir A<254 * 0x90>
ftp> cd A*

[...]

ftp> put <reallysmallscode>
ftp> cd ../../../../
ftp> get A*/B*/C*/D*/reallysmallscode.Z


Afaik this won't work because glob() does not expand the path unless a file
matching the *complete* pattern exists. But if x.Z exists, "get x.Z" will
not run compress. Fortunately, we do not get Catch 22 because there is a
nice race condition there. To make things better, wu-ftpd appears to
compute all filenames matching a pattern during wildcard expansion and
drops everything but the first entry of the list afterwards, ie. it is
possible to make the delay much longer and easier to exploit.

BTW: This is an ANCIENT problem.

You would think it would have been fixed by now ;)


Oh really? ;)

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

Current thread:

Re: compress(vul) + ftpd(?), (continued)
- Re: compress(vul) + ftpd(?) H D Moore (Mar 07)
- Message not available
  - Re: compress(vul) + ftpd(?) HypH (Mar 07)
    - Re: compress(vul) + ftpd(?) H D Moore (Mar 07)
    - Re: compress(vul) + ftpd(?) HypH (Mar 09)
    - Re: compress(vul) + ftpd(?) KF (Mar 09)
    - Re: compress(vul) + ftpd(?) HypH (Mar 09)
    - Re: compress(vul) + ftpd(?) Pavel Kankovsky (Mar 09)
    - Re: compress(vul) + ftpd(?) H D Moore (Mar 10)
    - Re: compress(vul) + ftpd(?) Pavel Kankovsky (Mar 11)
    - Re: compress(vul) + ftpd(?) H D Moore (Mar 12)
    - Re: compress(vul) + ftpd(?) Gushterul (Mar 12)
    - Re: compress(vul) + ftpd(?) HypH (Mar 11)
    - Re: compress(vul) + ftpd(?) Mats Linander (Mar 11)