[15571] in bugtraq
Re: WuFTPD: Providing *remote* root since at least1994
daemon@ATHENA.MIT.EDU (Eric Hines)
Fri Jun 30 17:37:19 2000
Content-Type: text/plain
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-Id: <00062911223905.16158@soc1.priv.nuasis.com>
Date: Thu, 29 Jun 2000 11:20:59 -0700
Reply-To: eric.hines@nuasis.com
From: Eric Hines <eric.hines@NUASIS.COM>
X-To: Casper Dik <Casper.Dik@HOLLAND.SUN.COM>,
Casper Dik <Casper.Dik@HOLLAND.SUN.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200006290742.JAA26345@romulus.Holland.Sun.COM>
Has anyone come out with a working version of this exploit script. Both
versions provided on the securityfocus.com web site, and or the one distributed
here by TF8 is not working, even after I fixed his code. Do we know for sure
the thing even exists.. I dunno, can anyone direct me to the actual code,
because I have yet to see a working version of it that doesn't CORE dump.
Please advise.
Eric
On Thu, 29 Jun 2000,
Casper Dik wrote: > >>>>>> "Mouse" == der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
writes: > >
> >>> Not to mention that could still be overflowable. snprintf() doesn't
> >>> null terminate.
> >
> >Mouse> Then IMO it's broken - what's your reference for thinking it doesn't?
> >Mouse> The only snprintf manpage I have at hand (NetBSD's) says
> >
> >The behaviour of snprintf() has _changed_. The evil forces of POSIX (as
> >opposed to the benign forces of POSIX) changed the semantics without
> >changing the function name. They never learn...
>
> POSIX? Perhaps you mean X/Open? X/OPen does guarantee NUL termination.
> The return value is, however, not properly specified.
>
> http://www.opengroup.org/onlinepubs/007908799/xsh/fprintf.html
>
> lists undefined behaviour for n < 1 (return a value < 1) and also
> appear to indicate it will return atmost "n - 1".
>
> I think a defect report weas issued; X/Open is also likely to
> follow C99.
>
> >So, if you use snprintf() in portable code, you must either:
> >
> >- Check to see if it null-terminates
>
> If it doesn't, it's broken.
>
> >- Check to see what value it returns (number of bytes copied? number of
> >bytes it _would_ have copied, if bufflen was infinite? -1 (what's errno)? 0?)
>
> That is something that differs from implementation to implementation; I'm
> told even the original one returned bytes copied rather than whatever
> sprintf() would have returned.
>
> Also, be aware that snprintf(NULL, 0, fmt, ...) and snprintf(buf, 0, fmt, ...)
> are dangerous contructs to use (few implementation return the sprintf()
> result in that case)
>
>
> Since snprintf() shares the printf() formatting engine with the other
> functions it can return -1 w/ errno = EILSEQ on UNIX98 compliant systems.
> (And probably other errnos too)
>
> However, EILSEQ will only happen for wide char conversions; static
> inspection fo the snprintf fmt string willtell you whether or not
> you'll encounter them.
>
> Casper
--
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 6.5.2
mQGiBDlP0fgRBADQ6w878kgQ0T1aQOHRHXBu1C+iVUmqDl1R2SE7x+RyoMpYvdTc
8piV4Z2VlbUqf41w9s7jNy3F3M9qj/8EriI7sdmsyyBQiJNonU1lSyaAAWYhqHZ1
DYb0o6PzD3NVctCAsqDoxrHqJlbuuj49pOU0hJcbeIjhy1yupVotV6uB3wCg/zDo
1Swb7FFDHIqDyQ7Kuf+v5r0EAMfm2A/qV4lbXdshRu1o90Wgw0wJwJgjPiU8kelr
T5yVKbBGf6AlkkPagG1+URDZZbKux4pZNn8/GXRubH61vccJ9JUVr9urAQrGhKW9
Hh1BTS1uXbpIMxu1ZquVjEKDS6lao6k6DiamuVEAzL3Ui6R5C/Lfxc0RulijUwZL
Zj6eA/9fL77pYEgDL9VToX3iI21nIDnHxzabbPYjWUBEtRuTJm1nTdBwjhwRzkfZ
h1PrWZ+pYlVMQvIbLhimT6TYRKgXuthuXlC519E81pQB9HK81E1bq5B2JtuhwrdE
hV3UtXihzJc65m4ciSYGnmbuyLMvveYN66hGgSSPrJ3dEtQi/rQiRXJpYyBIaW5l
cyA8ZXJpYy5oaW5lc0BudWFzaXMuY29tPokAVAQQEQIAFAUCOU/R+AUJOGQJAAQL
AwECAhkBAAoJEDBk0XCTfivZAdIAnRELzgdEfu7bG//ObhtZR5Ok2w0YAKCVCopD
ljrpyfJtTP48g7Cx0nbK37kCDQQ5T9H9EAgA9kJXtwh/CBdyorrWqULzBej5UxE5
T7bxbrlLOCDaAadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/c
dlJPPT2N286Z4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaCl
cjrUGvC/RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD
8KVbGI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZ
yAcpesqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwACAgf+
I5IyJ5LMKjItUVMFvgSrbR2xlNXE7iGO4OJy5dgM6tdw0r9u64XccySbFDvQO9cm
khgmF1qrpPLpdqsPxLtUEI87r3xDndejwDUjKWceDdIotbZZ8Hphf064eC4HW7S4
smJPIbuW768fkB9sAIY9aLANcVVnwRyOJBORYDhn3PLUR7xVun1SN+XxKbAJB8lP
HBZ0D6/eOl45WeOjuVh31mZt7XwbQaRl4UV8SnjxQToeOB1ivhqcT8Fmv3lFuXEu
uQZ32yfZSJs0uAj8vhyF0J+lsuwl8QK3VON6ZI/VAElH5P9YUr6AFdDEWfRmoGl+
V6HmN/yLrs2iYbV89PfluIkATAQYEQIADAUCOU/R/QUJOGQJAAAKCRAwZNFwk34r
2fbRAJ93tZZJStohApQmo2ANFtlS6eK8wQCfZvWiu70Yc2Nn9EYRa1iykp8iq34=
=7vK/
-----END PGP PUBLIC KEY BLOCK-----
