[11620] in bugtraq
Re: your mail
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Wed Sep 1 01:27:58 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990830100449.C5813@monad.swb.de>
Date: Mon, 30 Aug 1999 10:04:49 +0200
Reply-To: Olaf Kirch <okir@MONAD.SWB.DE>
From: Olaf Kirch <okir@MONAD.SWB.DE>
X-To: Anonymous <nobody@REPLAY.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <199908262324.BAA31765@mail.replay.com>; from Anonymous on Fri,
Aug 27, 1999 at 01:24:07AM +0200
On Fri, Aug 27, 1999 at 01:24:07AM +0200, Anonymous wrote:
> I've been browsing through the ftpd code and the overflow
> is really there. But as soon as I made some tests,
> (using CWD function), the vulnerable buffer seems
> to be out of stack space, which turns to be impossible
> to reach the return address.
The problem is that the mapped path patch does something like
#define getcwd(buffer, length) mapped_path_cwd(buffer)
#define getwd(buffer) mapped_path_cwd(buffer)
(Not sure about the exact function name).
Now, when the client does a CWD, the pwd() function does
pwd()
{
char path[MAXPATHLEN + 1];
getcwd(path, MAXPATHLEN);
...
}
There goes your stack.
FWIW, this is another example that making the stack non-executable
doesn't protect you from all kinds of stack smashing. All an attacker
needs to do is give you addresses that point into the static buffer.
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir@caldera.de +-------------------- Why Not?! -----------------------
UNIX, n.: Spanish manufacturer of fire extinguishers.
