"Larry W. Cashdollar" wrote:
> I think we are going to find a new era of buffer overflows, not in
> the daemons themselves but the user utilities that they call. Overflows
> in non-setuid binaries might be worth cataloging if these binaries are
> being called by applications that are listening to a socket.
I've been thinking about this a month ago or something, and then started
looking at the ls source code, because some (most?) ftp servers use an
external /bin/ls (in the chroot, if you are an anonymous user)... so if it contains
a bug... :)
Anyway, I didn't find something...
Also, if you _do_ find a bug in it, you're still in the chroot jail (and uid != 0)...
could be difficult to get out... mm maybe with kernel exploit -> root -> break out...
Mmm, about the gzip bug...
will a ftp server allow you to pass a filename of ~1100 chars?
It looks like a free() bug (trying to free 0x41414141 ["env" in do_exit IIRC]),
or at least with gzip source code / rh6.1...
Syzop.
This archive was generated by hypermail 2b30 : Mon Nov 19 2001 - 11:52:26 PST