Full Disclosure mailing list archives
Re: Exploiting glibc __tzfile_read integer overflow to buffer overflow and vsftpd
From: "HI-TECH ." <isowarez.isowarez.isowarez () googlemail com>
Date: Tue, 13 Dec 2011 18:36:01 +0100
Hi, I read through your blog post with much excitement as it seems you got your way through to a stable way to exploit this vulnerability, congrats to that. Apart from the discussion on how to exploit the heap overrun I just want to mention that to exploit this bug in vsftpd you have to break the chroot as done in the FreeBSD ftpd/proftpd case, and for this you need to have root privileges. Since vsftpd uses privilege seperation one might use a linux local root exploit through the syscall interface to get root. so for example one way would be: 1.) upload a customized statically linked local root exploit which will break chroot and drop the shell as either portbind or connectback or any other method 2.) exploit the heap overrun to do an execve to the linux local root 3.) the customized local root binary will first get root privs and then for example use ptrace to break chroot and send the shell back to the attacker. Now this would be nice to see in a real exploit since I have not seen such a technique be used anywhere anytime. Regards, Kingcope _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Exploiting glibc __tzfile_read integer overflow to buffer overflow and vsftpd HI-TECH . (Dec 13)