~ Maybe you should repost your email to bugtraq because Aleph1 may not
~ have seen it (I think he is damn busy with 25000+ subscribers).
~
I think I will probably write it again, since I don't I have it saved
somewhere. There's nothing fascinating actually. This seem to be a heap
buffer overflow, which smashes pointers to the dirnames (thus you could
probably get access to files outsite chrooted envinronment):
Here's screenshot of gdb, attaching to running proftpd process before
overflow took place:
-
--/gdb screenshot/---
Program received signal SIGSEGV, Segmentation fault.
0x4007c837 in strncpy (s1=0x41414141 <Address 0x41414141 out of bounds>,
s2=0xbfffea88 'A' <repeats 186 times>, "/", 'A' <repeats 13 times>...,
n=1094795585) at ../sysdeps/generic/strncpy.c:82
../sysdeps/generic/strncpy.c:82: No such file or directory.
(gdb) where
#0 0x4007c837 in strncpy (s1=0x41414141 <Address 0x41414141 out of bounds>,
s2=0xbfffea88 'A' <repeats 186 times>, "/", 'A' <repeats 13 times>...,
n=1094795585) at ../sysdeps/generic/strncpy.c:82
#1 0x8057963 in fs_clean_path (
path=0x41414141 <Address 0x41414141 out of bounds>,
buf=0x41414141 <Address 0x41414141 out of bounds>, maxlen=1094795585)
at fs.c:776
#2 0x41414141 in ?? ()
Cannot access memory at address 0x41414141.
(gdb)
--/gdb screenshot/--
The overflow causes SIGSEGV in fs_clean_path() routine, but it happened in
fs_dircat(), which eventualy overwrote pointers to path, and buf. I didn't
have time to check whether 1.2.pre2 is vulneriable to this. (tested with
1.2.pre1 with patch appiled).
hope this helps..
regards
~Fyodor
--
http://www.kalug.lug.net/ PGP key: hkp://keys.pgp.com/cyberpsychotic
http://www.kalug.lug.net/fygrave email:fygraveat_private
"There are three kinds of people: men, women, and unix."
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:36:00 PDT