Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New bugs discovered!

From: Syzop <syz () dds nl>
Date: Mon, 19 Nov 2001 20:13:31 +0100
"Larry W. Cashdollar" wrote:


I think we are going to find a new era of buffer overflows, not in
the daemons themselves but the user utilities that they call.  Overflows
in non-setuid binaries might be worth cataloging if these binaries are
being called by applications that are listening to a socket.


I've been thinking about this a month ago or something, and then started
looking at the ls source code, because some (most?) ftp servers use an
external /bin/ls (in the chroot, if you are an anonymous user)... so if it contains
a bug... :)
Anyway, I didn't find something...
Also, if you _do_ find a bug in it, you're still in the chroot jail (and uid != 0)...
could be difficult to get out... mm maybe with kernel exploit -> root -> break out...

Mmm, about the gzip bug...
will a ftp server allow you to pass a filename of ~1100 chars?
It looks like a free() bug (trying to free 0x41414141 ["env" in do_exit IIRC]),
or at least with gzip source code / rh6.1...

    Syzop.
Previous By Date Next
Previous By Thread Next

Current thread: