On Fri, Aug 27, 1999 at 01:24:07AM +0200, Anonymous wrote: > I've been browsing through the ftpd code and the overflow > is really there. But as soon as I made some tests, > (using CWD function), the vulnerable buffer seems > to be out of stack space, which turns to be impossible > to reach the return address. The problem is that the mapped path patch does something like #define getcwd(buffer, length) mapped_path_cwd(buffer) #define getwd(buffer) mapped_path_cwd(buffer) (Not sure about the exact function name). Now, when the client does a CWD, the pwd() function does pwd() { char path[MAXPATHLEN + 1]; getcwd(path, MAXPATHLEN); ... } There goes your stack. FWIW, this is another example that making the stack non-executable doesn't protect you from all kinds of stack smashing. All an attacker needs to do is give you addresses that point into the static buffer. Olaf -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play okirat_private | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax okirat_private +-------------------- Why Not?! ----------------------- UNIX, n.: Spanish manufacturer of fire extinguishers.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:00:09 PDT