[20240] in bugtraq
Re: SUN SOLARIS 5.6/5.7 FTP Globbing Exploit !
daemon@ATHENA.MIT.EDU (Konrad Rieck)
Tue Apr 17 01:27:11 2001
Mail-Followup-To: Konrad Rieck <kr@r0q.cx>, BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID: <20010416211313.A3251@r0q.cx>
Date: Mon, 16 Apr 2001 21:13:13 +0200
Reply-To: Konrad Rieck <kr@R0Q.CX>
From: Konrad Rieck <kr@R0Q.CX>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <00aa01c0c29f$2b6064a0$2100a8c0@illegalaccess.de>; from
johncybpk@GMX.NET on Wed, Apr 11, 2001 at 05:50:39PM +0200
On Wed, Apr 11, 2001 at 05:50:39PM +0200, Johnny Cyberpunk wrote:
> This Problem could allow an attacker to execute code on the stack and gain
> access to the system.
You should take a look at the source of Solaris. It's free and designed to
assist in such situations. gdb logs don't help that much.
The problem occurs in the function expand() that is called from the
following functions: glob() -> collect() -> acollect() -> expand().
The segmentation fault is caused by copying the global variable home to
gpath. home is NULL if gethdir() hasn't been called or returned an error.
strcpy() fails.
Expanding the CWD command with more arguments, e.g. cwd ~/ffffffff...
doesn't affect the home variable, this problem is not a buffer overflow.
It's very unlikely that a NULL pointer in home can be used to place any code
on the stack. I don't believe that there will be a proof of concept for
exploiting this vulnerablitity to gain any privileges. But I am willing to
learn... ;)
Regards,
Konrad
--
Konrad Rieck <kr@r0q.cx>
Roqefellaz - http://www.r0q.cx, GPG Public Key http://www.r0q.cx/keys/kr.pub
-- Fingerprint: 3AA8 CF92 C179 9760 C3B3 1B43 33B6 9221 AFBF 5897
