This fact that in.ftpd crashes with SIGSEGV does not necessarily indicate that it is a remotely exploitable vulnerability. In this case, it is just a simple null-pointer dereference. But, as Sun's binary code licence forbids disassembly, I can only strongly believe or suspect that is a register-indirect load where that register's value is 0x0 :). I suspect that it is caused by glob() looking for the home directory of a NULL username. So, this is not a remotely exploitable vulnerability, it can simply be used to crash the remote in.ftpd. However, this can present other problems, so you should ensure that core dumps are disabled for inetd (add "ulimit -c 0" before starting inetd in /etc/init.d/inetsvc) or at least that they are not world readable (add a umask line); they are world readable by default under 2.6. -- ghandi / ghandiat_private / www.dopesquad.net "Bein' Crazy is the least of my worries." - Jack Kerouac C439 2B06 D8D2 A2D8 1ABB 0A55 A61D 9057 63F5 9B1F
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 10:36:22 PDT