Vulnerability Development mailing list archives
Re: compress(vul) + ftpd(?)
From: H D Moore <sflist () digitaloffense net>
Date: Thu, 7 Mar 2002 08:18:28 -0600
YES. wu-ftpd will call compress with the file name as an argument if you request the file name ending in .Z. You have to be able to write out a file name containing the shell code to exploit the bug. I mentioned the compress bug back in 1998 and again in 2000, it finally got fixed on some of the newer SuSE releases (not sure about Red Hat, I dont use it). See: http://msgs.securepoint.com/cgi-bin/get/bugtraq0003/179.html Another fun one is tar, the --use-compress-program option might be exploitable under wu-ftpd as well, although I cant think of a way to do it offhand. On Tuesday 05 March 2002 07:43 am, HypH wrote:
[hyph@port ~]$ rpm -qf `which compress` ncompress-4.2.4-21 [hyph@port ~]$ compress `perl -e 'print "A" x 1100'` Segmentation fault (core dumped) [hyph@port ~]$gdb compress core eip 0x41414141 0x41414141 <--- :-)) Compress isn`t suid so it gives us no benefit. And here`s my question: Is there any way to force the ftpd to 'compress' a file before sending it, from the client`s side. I`m asking for this particular daemon because of this: -rwxr-xr-x 2 root root 16k gru 12 2000 compress <-- :-)) The benefits would be obvious. Sorry if it`s a known bug/vulnerability (but I`ve never heared `bout it before)
Current thread:
- compress(vul) + ftpd(?) HypH (Mar 05)
- Re: compress(vul) + ftpd(?) H D Moore (Mar 07)
- Message not available
- Re: compress(vul) + ftpd(?) HypH (Mar 07)
- Re: compress(vul) + ftpd(?) H D Moore (Mar 07)
- Re: compress(vul) + ftpd(?) HypH (Mar 09)
- Re: compress(vul) + ftpd(?) KF (Mar 09)
- Re: compress(vul) + ftpd(?) HypH (Mar 09)
- Re: compress(vul) + ftpd(?) HypH (Mar 07)
- Re: compress(vul) + ftpd(?) Pavel Kankovsky (Mar 09)
- Re: compress(vul) + ftpd(?) H D Moore (Mar 10)
- Re: compress(vul) + ftpd(?) Pavel Kankovsky (Mar 11)
- Re: compress(vul) + ftpd(?) H D Moore (Mar 12)
- Re: compress(vul) + ftpd(?) Gushterul (Mar 12)