Local exploit for TrollFTPD-1.26

[zen-parse <zen-parse () gmx net>]

Affects:    TrollFTPD 1.26 (probably earlier)

Severity:   local users can gain root access.

Fix:        upgrade to TrollFTPD-1.27

Fix URL:    ftp://ftp.trolltech.com/freebies/ftpd/troll-ftpd-1.27.tar.gz

Description:

 An error in the handling of recursive directory listings can result in an
 exploitable buffer overflow.

Exploit:

(offsets are for one machine. not guaranteed to work on any others.)

Run the program,
ftp localhost
<in ftp>
(your username)
(your password)
cd /tmp
ls -R

<out of ftp>
Connect to port 10000 with nc
Be nice.

-- zen-parse

-- 
-------------------------------------------------------------------------
The preceding information, unless directly posted by zen-parse () gmx net to
an open forum is confidential information and not to be distributed
(without explicit permission being given by zen-parse () gmx net). Legal
action may be taken to enforce this. If you are mum or dad, this probably
doesn't apply to you.

Attachment: trock.c
Description: TrollFTPD exploit