VSFTPD Remote Heap Overrun (low severity)

["HI-TECH ." <isowarez.isowarez.isowarez () googlemail com>]

This is afaik a patched CVE in Linux glibc [1] which can be triggered through
the very secure ftp daemon [2] so it will only work on older linux distros.
Be aware that vsftpd has privilege seperation built in so this bug
will not yield a root shell.
It could yield root only in junction with a linux kernel vulnerability
because the attacker
will not be able to break the chroot without being root.
This bug has a low severity because it's hard to exploit.
Linux systems without patched glibc are vulnerable even if the latest
version vsftpd-2.3.4 is installed.
The bug is in the glibc timezone code. vsftpd loads timezone files
from /usr [3]. If the attacker is inside a chroot
he can easily create this directory and the timezone file and trigger
the heap overrun.

A Debugging Session illustrating the bug can be found on youtube:
http://www.youtube.com/watch?v=KRCuozBM_dQ

Cheers!

[1] http://dividead.wordpress.com/tag/heap-overflow/
[2] https://security.appspot.com/vsftpd.html
[3] For example /usr/share/zoneinfo/UTC-01:00

/Kingcope

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/