~ Maybe you should repost your email to bugtraq because Aleph1 may not ~ have seen it (I think he is damn busy with 25000+ subscribers). ~ I think I will probably write it again, since I don't I have it saved somewhere. There's nothing fascinating actually. This seem to be a heap buffer overflow, which smashes pointers to the dirnames (thus you could probably get access to files outsite chrooted envinronment): Here's screenshot of gdb, attaching to running proftpd process before overflow took place: - --/gdb screenshot/--- Program received signal SIGSEGV, Segmentation fault. 0x4007c837 in strncpy (s1=0x41414141 <Address 0x41414141 out of bounds>, s2=0xbfffea88 'A' <repeats 186 times>, "/", 'A' <repeats 13 times>..., n=1094795585) at ../sysdeps/generic/strncpy.c:82 ../sysdeps/generic/strncpy.c:82: No such file or directory. (gdb) where #0 0x4007c837 in strncpy (s1=0x41414141 <Address 0x41414141 out of bounds>, s2=0xbfffea88 'A' <repeats 186 times>, "/", 'A' <repeats 13 times>..., n=1094795585) at ../sysdeps/generic/strncpy.c:82 #1 0x8057963 in fs_clean_path ( path=0x41414141 <Address 0x41414141 out of bounds>, buf=0x41414141 <Address 0x41414141 out of bounds>, maxlen=1094795585) at fs.c:776 #2 0x41414141 in ?? () Cannot access memory at address 0x41414141. (gdb) --/gdb screenshot/-- The overflow causes SIGSEGV in fs_clean_path() routine, but it happened in fs_dircat(), which eventualy overwrote pointers to path, and buf. I didn't have time to check whether 1.2.pre2 is vulneriable to this. (tested with 1.2.pre1 with patch appiled). hope this helps.. regards ~Fyodor -- http://www.kalug.lug.net/ PGP key: hkp://keys.pgp.com/cyberpsychotic http://www.kalug.lug.net/fygrave email:fygraveat_private "There are three kinds of people: men, women, and unix."
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:36:00 PDT