Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Red Hat 6.2's ftp segmentation fault

From: lcamtuf () DIONE IDS PL (Michal Zalewski)
Date: Fri, 23 Jun 2000 22:34:39 +0200

On Fri, 23 Jun 2000, Osvaldo J. Filho wrote:


Yes, there is a Wu-FTPD 2.6.0 private exploit around here. I got the
exploit too, and it look likes that it works. Change to ProFTPD or NcFTPD.
[...]
The exploit uses site exec, but 'put' maybe vulnerable too.


No associacion.

1. there's no 'PUT' commaand in ftp protocol; this segv affects
   client-side and is mostly harmless

2. '*' has nothing to do with format sequences in *printf

And finally, I don't think that proftpd is really secure for now. Some
problems with STAT, for example :)

_______________________________________________________
Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
Previous By Date Next
Previous By Thread Next

Current thread: