Re[2]: Solaris telnet vulnberability - how many on your network?

["Steven M. Christey" <coley () mitre org>]

Cromar Scott said:

> I know that my initial reaction was "haven't I seen this before?"
> but the above two are what I found in my notes when I looked back.

There are at least 20 FTP server implementations that have had buffer
overflows with a long USER command.  HTTP GET directory traversals are
probably not that far behind.


Thierry Zoller said:

> a very simple exploit, which does not require any code to be compiled
> by an attacker, exists. The exploit requires the attacker to simply
> define the environment variable TTYPROMPT to a 6 character string,
> inside telnet. I believe this overflows an integer inside login, which
> specifies whether or not the user has been authenticated (just a
> guess).

As buffer overflow protection schemes get stronger, I would expect to
see more of these "data-driven" attacks that target adjacent data
instead of the stack or the heap.  It's all about how important the
adjacent data is and when it's accessed.  The overflow in
CVE-2004-1291 was used to turn a server into a spam relay, for
example.  Presumably, data-driven attacks are being done by Windows
researchers already?  I don't usually study overflows down to that
level of detail.  To get the same effect in Perl, you could exploit a
format string vulnerability in a Perl application by causing the
*printf to write to shifted arguments (see my white paper from some
time back), but that's probably pretty rare in the wild for the
handful of people who bother to look.

- Steve