Bugtraq mailing list archives
Re: A couple of patches (RFC931 and scp location)
From: simmonmt () CS PURDUE EDU (Matt Simmons)
Date: Sun, 8 Jun 1997 17:08:23 -0500
I added the authuser code from wu-ftpd 2.4 to ssh, and mentioned it in a post to the ssh list. One of the subscribers to that list, Benjamin Stassart, looked through it and found a possible buffer overrun. His message is included below - it refers to authuser.c from the support directory of the wu-ftpd distribution. Is this overrun exploitable and therefore nasty & bad? Matt Benjamin J Stassart <dszd0g () dasb fhda edu> writes:
[...] Also, unless I am mistaken it appears you could over-run one of the buffers in authuser.c with spaces or tabs. What this would be able to accomplish I do not know, but it should be fixed. while ((w = read(s, &ch, 1)) == 1) { *buf = ch; if ((ch != ' ') && (ch != '\t') && (ch != '\r')) ++buf; if ((buf - realbuf == sizeof(realbuf) - 1) || (ch == '\n')) break; } Switching the if statements should fix the problem I believe? [...] As for ease of overflowing the buffer, I would say pretty easy. I have hacked up pidentd source quite a bit. It is not difficult. Since the buffer is just read directly from the socket, well... Benjamin J. Stassart
Current thread:
- Re: A couple of patches (RFC931 and scp location) Matt Simmons (Jun 08)
- Re: A couple of patches (RFC931 and scp location) Joe Zbiciak (Jun 09)
- Re: A couple of patches (RFC931 and scp location) Paul B. Henson (Jun 09)
- Bad permissions (644) on /etc/shadow after editing via Krzysztof G. Baranowski (Jun 10)
- Q142047: Bad Network Packet May Cause Access Violation (AV) on Aleph One (Jun 10)
- Q167629: Predictable Query IDs Pose Security Risks for DNS Servers Aleph One (Jun 10)
- Q169461: Access Violation in DNS.EXE Caused by Malicious Telnet Aleph One (Jun 10)