[11607] in bugtraq
wu-ftpd
daemon@ATHENA.MIT.EDU (Eduard Nigsch)
Mon Aug 30 16:27:46 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSF.4.01.9908282008490.27070-100000@ulixes.esc.ac.at>
Date: Sat, 28 Aug 1999 20:37:18 +0200
Reply-To: edi@ESC.AC.AT
From: Eduard Nigsch <edi@ESC.AC.AT>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <199908262324.BAA31765@mail.replay.com>
> I've been browsing through the ftpd code and the overflow
> is really there. But as soon as I made some tests,
> (using CWD function), the vulnerable buffer seems
> to be out of stack space, which turns to be impossible
> to reach the return address.
This is not quite true: The overflown buffer is on
the heap, but this doesn't mean you cannot exploit it.
'onefile' and 'Argv', which come next in memory, can be
modified to point anywhere you like, and there is more
than 1 way to gain root access with this.
> but if it's really true, this problem will
> not mean anything as a security matters (BeroFTPD and
> WUftpd are running from inetd so it wont be a dos).
It actually IS a security problem, but because of the
difficulty in exploiting it there should be enough time
to upgrade servers before exploits are widespread.
Edi
