"Larry W. Cashdollar" wrote: > I think we are going to find a new era of buffer overflows, not in > the daemons themselves but the user utilities that they call. Overflows > in non-setuid binaries might be worth cataloging if these binaries are > being called by applications that are listening to a socket. I've been thinking about this a month ago or something, and then started looking at the ls source code, because some (most?) ftp servers use an external /bin/ls (in the chroot, if you are an anonymous user)... so if it contains a bug... :) Anyway, I didn't find something... Also, if you _do_ find a bug in it, you're still in the chroot jail (and uid != 0)... could be difficult to get out... mm maybe with kernel exploit -> root -> break out... Mmm, about the gzip bug... will a ftp server allow you to pass a filename of ~1100 chars? It looks like a free() bug (trying to free 0x41414141 ["env" in do_exit IIRC]), or at least with gzip source code / rh6.1... Syzop.
This archive was generated by hypermail 2b30 : Mon Nov 19 2001 - 11:52:26 PST