Vulnerability Development mailing list archives
Re: compress(vul) + ftpd(?)
From: H D Moore <sflist () digitaloffense net>
Date: Tue, 12 Mar 2002 03:59:46 -0600
On Monday 11 March 2002 04:35 am, Pavel Kankovsky wrote:
On Sat, 9 Mar 2002, H D Moore wrote:ftp> mkdir A<254 * 0x90> ftp> cd A*[...]ftp> put <reallysmallscode> ftp> cd ../../../../ ftp> get A*/B*/C*/D*/reallysmallscode.ZAfaik this won't work because glob() does not expand the path unless a file matching the *complete* pattern exists. But if x.Z exists, "get x.Z" will not run compress. Fortunately, we do not get Catch 22 because there is a nice race condition there. To make things better, wu-ftpd appears to compute all filenames matching a pattern during wildcard expansion and drops everything but the first entry of the list afterwards, ie. it is possible to make the delay much longer and easier to exploit.
Understood, the glob won't match a file name that doesn't exist yet. How would this race condition work? Create a x.Z, make the request, delete it after the glob match but before the final stat()?
Current thread:
- compress(vul) + ftpd(?) HypH (Mar 05)
- Re: compress(vul) + ftpd(?) H D Moore (Mar 07)
- Message not available
- Re: compress(vul) + ftpd(?) HypH (Mar 07)
- Re: compress(vul) + ftpd(?) H D Moore (Mar 07)
- Re: compress(vul) + ftpd(?) HypH (Mar 09)
- Re: compress(vul) + ftpd(?) KF (Mar 09)
- Re: compress(vul) + ftpd(?) HypH (Mar 09)
- Re: compress(vul) + ftpd(?) HypH (Mar 07)
- Re: compress(vul) + ftpd(?) Pavel Kankovsky (Mar 09)
- Re: compress(vul) + ftpd(?) H D Moore (Mar 10)
- Re: compress(vul) + ftpd(?) Pavel Kankovsky (Mar 11)
- Re: compress(vul) + ftpd(?) H D Moore (Mar 12)
- Re: compress(vul) + ftpd(?) Gushterul (Mar 12)
- Re: compress(vul) + ftpd(?) HypH (Mar 11)
- Re: compress(vul) + ftpd(?) Mats Linander (Mar 11)