On Mon, 19 Nov 2001, The Itch wrote:
> ah, yes and so are /usr/bin/compress, /usr/bin/uncompress and /bin/zcat
> and /bin/gunzip vulnerable to simple buffer overflows.
>
> (Compress version: (N)compress 4.2.4, compiled: Mon Feb 7 16:15:44 EST 2000)
> (zcat 1.2.4 (18 Aug 93))
>
> this is on redhat 6.2
Verified here on RH 7.2 with compress and uncompress:
$ uncompress `perl -e 'print "A" x 2048'`
Segmentation fault
$ compress `perl -e 'print "A" x 2048'`
Segmentation fault
$ compress -V
Compress version: (N)compress 4.2.4, compiled: Mon Jun 25 04:14:46 EDT
2001
Compile options:
FAST, DIRENT,
REGISTERS=20 IBUFSIZ=1024, OBUFSIZ=1024, BITS=16
[ ... ]
$ rpm -qif `which compress`
Name : ncompress Relocations: (not relocateable)
Version : 4.2.4 Vendor: Red Hat, Inc.
Release : 24 Build Date: Mon 25 Jun 2001 09:14:50 BST
[ ... ]
> uncompress and compress are called by wuftpd (maybe other ftpd's too) to
> compress and uncompress files on the fly
>
> I quickly looked into it a few months ago, i am not sure, but i believe
> maximum input you can give is 1024 bytes in wuftpd, thus not enough to
> overflow the buffers of either of those programs
I think you're right that wu-ftp is unintentionally protecting buffer
overflows, but I'm not sure about the value; strace indicates a read of
4096, and a manually spoofed ftp connection indicates 511 bytes (+1 for
the NULL). Anyone else?
Incidentally, whilst I was testing...
$ ncftp
NcFTP 3.0.3 (April 15, 2001) by Mike Gleason (ncftpat_private).
ncftp> $AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
*** Error: getline(): input buffer overflow
$ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
$ rpm -qif `which ncftp`
Name : ncftp Relocations: /usr
Version : 3.0.3 Vendor: Red Hat, Inc.
Release : 6 Build Date: Sat 04 Aug 2001 20:55:09 BST
Probably not exploitable, but...
Best Regards,
Alex.
--
Alex Butcher Brainbench MVP for Internet Security: www.brainbench.com
Berkshire, UK Is *your* company hiring UNIX/Security/Pen. testing folks?
PGP/GnuPG ID:0x271fd950 http://www.cocoa.demon.co.uk/cv/
This archive was generated by hypermail 2b30 : Tue Nov 20 2001 - 08:37:57 PST