Local exploit for TrollFTPD-1.26

From: zen-parse (zen-parseat_private)
Date: Sun Aug 12 2001 - 20:22:22 PDT

Next message: aleph1at_private: "Phrack57 if out."

Previous message: eDvice Security Services: "Various problems in Baltimore's WEBSweeper Script filtering"
Next in thread: Jedi/Sector One (Frank DENIS): "Re: Local exploit for TrollFTPD-1.26"
Reply: Jedi/Sector One (Frank DENIS): "Re: Local exploit for TrollFTPD-1.26"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Affects:    TrollFTPD 1.26 (probably earlier)

Severity:   local users can gain root access.

Fix:        upgrade to TrollFTPD-1.27

Fix URL:    ftp://ftp.trolltech.com/freebies/ftpd/troll-ftpd-1.27.tar.gz

Description:

 An error in the handling of recursive directory listings can result in an
 exploitable buffer overflow.

Exploit:

(offsets are for one machine. not guaranteed to work on any others.)

Run the program,
ftp localhost
<in ftp>
(your username)
(your password)
cd /tmp
ls -R

<out of ftp>
Connect to port 10000 with nc
Be nice.

-- zen-parse

-- 
-------------------------------------------------------------------------
The preceding information, unless directly posted by zen-parseat_private to
an open forum is confidential information and not to be distributed
(without explicit permission being given by zen-parseat_private). Legal
action may be taken to enforce this. If you are mum or dad, this probably
doesn't apply to you.

TEXT/PLAIN attachment: TrollFTPD exploit

Next message: aleph1at_private: "Phrack57 if out."
Previous message: eDvice Security Services: "Various problems in Baltimore's WEBSweeper Script filtering"
Next in thread: Jedi/Sector One (Frank DENIS): "Re: Local exploit for TrollFTPD-1.26"
Reply: Jedi/Sector One (Frank DENIS): "Re: Local exploit for TrollFTPD-1.26"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Aug 12 2001 - 20:49:08 PDT