[9732] in bugtraq
Re: Pro/wuFTPD DoS
daemon@ATHENA.MIT.EDU (Alex Belits)
Mon Feb 22 15:47:48 1999
Date: Sun, 21 Feb 1999 23:30:38 -0800
Reply-To: Alex Belits <abelits@PHOBOS.ILLTEL.DENVER.CO.US>
From: Alex Belits <abelits@PHOBOS.ILLTEL.DENVER.CO.US>
X-To: Chris Wedgwood <chris@CYBERNET.CO.NZ>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19990221110107.A15685@caffeine.ix.net.nz>
On Sun, 21 Feb 1999, Chris Wedgwood wrote:
> > I think I will probably write it again, since I don't I have it saved
> > somewhere. There's nothing fascinating actually. This seem to be a heap
> > buffer overflow, which smashes pointers to the dirnames (thus you could
> > probably get access to files outsite chrooted envinronment):
>
> Could someone please clue me in on how this might be so, assuming
> *ftpd correctly chroot's itself then relinquishes permissions?
There is a claim in the description of that hole, that wu-ftpd doesn't
relinquish permissions properly, changing the uid "temporarily". I assume,
it means that saved uid is not changed at that point, however I
haven't checked in the source, if this is true.
--
Alex
----------------------------------------------------------------------
Excellent.. now give users the option to cut your hair you hippie!
-- Anonymous Coward
