[4650] in bugtraq
Re: A couple of patches (RFC931 and scp location)
daemon@ATHENA.MIT.EDU (Matt Simmons)
Mon Jun 9 21:11:17 1997
Date: Sun, 8 Jun 1997 17:08:23 -0500
Reply-To: simmonmt@acm.org
From: Matt Simmons <simmonmt@CS.PURDUE.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Benjamin J Stassart's message of "Sun, 8 Jun 1997 06:14:50 -0700
(PDT)"
I added the authuser code from wu-ftpd 2.4 to ssh, and mentioned it in
a post to the ssh list. One of the subscribers to that list, Benjamin
Stassart, looked through it and found a possible buffer overrun. His
message is included below - it refers to authuser.c from the support
directory of the wu-ftpd distribution. Is this overrun exploitable
and therefore nasty & bad?
Matt
Benjamin J Stassart <dszd0g@dasb.fhda.edu> writes:
> [...]
>
> Also, unless I am mistaken it appears you could over-run one of the
> buffers in authuser.c with spaces or tabs. What this would be able to
> accomplish I do not know, but it should be fixed.
>
> while ((w = read(s, &ch, 1)) == 1) {
> *buf = ch;
> if ((ch != ' ') && (ch != '\t') && (ch != '\r'))
> ++buf;
> if ((buf - realbuf == sizeof(realbuf) - 1) || (ch ==
> '\n'))
> break;
> }
>
> Switching the if statements should fix the problem I believe?
>
> [...]
>
> As for ease of overflowing the buffer, I would say pretty easy. I have
> hacked up pidentd source quite a bit. It is not difficult. Since the
> buffer is just read directly from the socket, well...
>
> Benjamin J. Stassart
