Vulnerability Development mailing list archives
Re: New bugs discovered!
From: "Alex Butcher (vuln-dev)" <vulndev () cocoa demon co uk>
Date: Tue, 20 Nov 2001 10:36:55 +0000 (GMT)
On Mon, 19 Nov 2001, The Itch wrote:
ah, yes and so are /usr/bin/compress, /usr/bin/uncompress and /bin/zcat and /bin/gunzip vulnerable to simple buffer overflows. (Compress version: (N)compress 4.2.4, compiled: Mon Feb 7 16:15:44 EST 2000) (zcat 1.2.4 (18 Aug 93)) this is on redhat 6.2
Verified here on RH 7.2 with compress and uncompress:
$ uncompress `perl -e 'print "A" x 2048'`
Segmentation fault
$ compress `perl -e 'print "A" x 2048'`
Segmentation fault
$ compress -V
Compress version: (N)compress 4.2.4, compiled: Mon Jun 25 04:14:46 EDT
2001
Compile options:
FAST, DIRENT,
REGISTERS=20 IBUFSIZ=1024, OBUFSIZ=1024, BITS=16
[ ... ]
$ rpm -qif `which compress`
Name : ncompress Relocations: (not relocateable)
Version : 4.2.4 Vendor: Red Hat, Inc.
Release : 24 Build Date: Mon 25 Jun 2001 09:14:50 BST
[ ... ]
uncompress and compress are called by wuftpd (maybe other ftpd's too) to compress and uncompress files on the fly I quickly looked into it a few months ago, i am not sure, but i believe maximum input you can give is 1024 bytes in wuftpd, thus not enough to overflow the buffers of either of those programs
I think you're right that wu-ftp is unintentionally protecting buffer overflows, but I'm not sure about the value; strace indicates a read of 4096, and a manually spoofed ftp connection indicates 511 bytes (+1 for the NULL). Anyone else? Incidentally, whilst I was testing... $ ncftp NcFTP 3.0.3 (April 15, 2001) by Mike Gleason (ncftp () ncftp com). ncftp> $AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA *** Error: getline(): input buffer overflow $ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA $ rpm -qif `which ncftp` Name : ncftp Relocations: /usr Version : 3.0.3 Vendor: Red Hat, Inc. Release : 6 Build Date: Sat 04 Aug 2001 20:55:09 BST Probably not exploitable, but... Best Regards, Alex. -- Alex Butcher Brainbench MVP for Internet Security: www.brainbench.com Berkshire, UK Is *your* company hiring UNIX/Security/Pen. testing folks? PGP/GnuPG ID:0x271fd950 http://www.cocoa.demon.co.uk/cv/
Current thread:
- Re: New bugs discovered!, (continued)
- Re: New bugs discovered! InterceptiX Security (Nov 19)
- Re: New bugs discovered! Ron DuFresne (Nov 19)
- Re: New bugs discovered! Meritt James (Nov 19)
- Re: New bugs discovered! GomoR (Nov 19)
- Re: New bugs discovered! sy4n (Nov 19)
- Re: New bugs discovered! jnf (Nov 19)
- Re: New bugs discovered! Syzop (Nov 19)
- Re: New bugs discovered! X (Nov 19)
- Re: New bugs discovered! Croquette Friskies (Nov 19)
- Re: New bugs discovered! The Itch (Nov 19)
- Re: New bugs discovered! Alex Butcher (vuln-dev) (Nov 20)
- RE: New bugs discovered! dave . goldsmith (Nov 19)
- RE: New bugs discovered! DePriest, Jason R. (Nov 19)
- Re: New bugs discovered! InterceptiX Security (Nov 19)