On Fri, Aug 27, 1999 at 01:24:07AM +0200, Anonymous wrote:
> I've been browsing through the ftpd code and the overflow
> is really there. But as soon as I made some tests,
> (using CWD function), the vulnerable buffer seems
> to be out of stack space, which turns to be impossible
> to reach the return address.
The problem is that the mapped path patch does something like
#define getcwd(buffer, length) mapped_path_cwd(buffer)
#define getwd(buffer) mapped_path_cwd(buffer)
(Not sure about the exact function name).
Now, when the client does a CWD, the pwd() function does
pwd()
{
char path[MAXPATHLEN + 1];
getcwd(path, MAXPATHLEN);
...
}
There goes your stack.
FWIW, this is another example that making the stack non-executable
doesn't protect you from all kinds of stack smashing. All an attacker
needs to do is give you addresses that point into the static buffer.
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okirat_private | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
okirat_private +-------------------- Why Not?! -----------------------
UNIX, n.: Spanish manufacturer of fire extinguishers.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:00:09 PDT