Dear perkere stinker, I call this issue "unsafe fgets()". In this case problem is not exploitable, because it occurs in user input. The problem can be exploitable if "unsafe fgets()" is in parsing of some file format or between 2 server programs (MTA and MDA, for example). Examples and descriptions of this problem you can find in SECURITY.NNOV advisories http://www.security.nnov.ru/advisories/ --23.07.2001 23:37, you wrote serv-u 2.5e to vuln-devat_private; p> log in, issue a PASV [buf] where buf is 507 bytes, after that you can issue p> a new command all in the same line. Can this be exploited anyway? Does it p> work on other versions? Is this pure crap? I dont know. Guess thats what p> vuln-dev is for? p> example: p> [foo@bar foo]$ telnet serv-u-server 21 p> Trying 193.89.248.81... p> Connected to serv-u-server. p> Escape character is '^]'. p> 220 Serv-U FTP-Server v2.5e for WinSock ready... p> user perkere p> 331 User name okay, need password. p> pass stinker p> 230 User logged in, proceed. p> PASV p> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACWD p> upload p> 227 Entering Passive Mode (193,89,248,81,7,177) p> 250 Directory changed to /f:/Download/upload p> End example p> Pizza. Yum. p> _________________________________________________________________ p> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp -- Vladimir Dubrovin Service Center Coordinator http://www.sandy.ru SANDY, ISP http://www.security.nnov.ru Nizhny Novgorod, Russia
This archive was generated by hypermail 2b30 : Tue Jul 24 2001 - 18:58:10 PDT