[15918] in bugtraq
Re: CRYX present: netscape profesional services ftp service
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Sat Jul 22 20:11:40 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.21.0007222047460.28238-100000@dione.ids.pl>
Date: Sat, 22 Jul 2000 20:56:07 +0200
Reply-To: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
From: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.SOL.4.21.10007113123131.7743-100000@marcin.localdomain>
On Wed, 19 Jul 2000, l33thax0r wrote:
> gr33tings to all our friendz - you know who y0u are!
> special gr33tings to d00d that find this bug!
Actually, that was me, about two weeks ago, while performing loose
security audit of this release (1.39). Regardless of really poor contents,
this mail seems to be based on information that leaked from us (it has
been posted to some people in Poland) - including almost extactly cited
examples from original post.
I contacted someone at Netscape, but didn't get satisfying response, so I
simply forgot about it - which wasn't the best solution, as I can see.
There are still some problems left, and they're working on it.
I am not aware of any working exploits, but I guess exploitation isn't
something really difficult (especially in such complex codepiece, %p
'pointer overwrite' bugs are deadly dangerous).
Thanks,
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
