[11612] in bugtraq
Re: your mail
daemon@ATHENA.MIT.EDU (Gregory A Lundberg)
Mon Aug 30 19:51:18 1999
Mail-Followup-To: Anonymous <nobody@REPLAY.COM>, BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990829025048.C20490@vr.net>
Date: Sun, 29 Aug 1999 02:50:48 -0400
Reply-To: Gregory A Lundberg <lundberg@VR.NET>
From: Gregory A Lundberg <lundberg@VR.NET>
X-To: Anonymous <nobody@REPLAY.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <199908262324.BAA31765@mail.replay.com>; from Anonymous on Fri,
Aug 27, 1999 at 01:24:07AM +0200
On Fri, Aug 27, 1999 at 01:24:07AM +0200, Anonymous wrote:
> I've been browsing through the ftpd code and the overflow is really
> there. But as soon as I made some tests, (using CWD function), the
> vulnerable buffer seems to be out of stack space, which turns to be
> impossible to reach the return address. I'm not that sure about that
> because I was warned about that bug from a friend of mine, but if it's
> really true, this problem will not mean anything as a security matters
> (BeroFTPD and WUftpd are running from inetd so it wont be a dos).
Yes, it overflows a statically allocated buffer. No, it's not a stack-
smash. Yes, it works. This isn't your standard buffer overrun, modify the
return address, attack. These guys were lucky to have found it (using the
right compiler on the right OS) and determined. Either you weren't
determined enough or you didn't use the right compiler to build the daemon.
--
Gregory A Lundberg Senior Partner, VRnet Company
1441 Elmdale Drive lundberg@vr.net
Kettering, OH 45409-1615 USA 1-800-809-2195
