On Mon, 19 Nov 2001, The Itch wrote: > ah, yes and so are /usr/bin/compress, /usr/bin/uncompress and /bin/zcat > and /bin/gunzip vulnerable to simple buffer overflows. > > (Compress version: (N)compress 4.2.4, compiled: Mon Feb 7 16:15:44 EST 2000) > (zcat 1.2.4 (18 Aug 93)) > > this is on redhat 6.2 Verified here on RH 7.2 with compress and uncompress: $ uncompress `perl -e 'print "A" x 2048'` Segmentation fault $ compress `perl -e 'print "A" x 2048'` Segmentation fault $ compress -V Compress version: (N)compress 4.2.4, compiled: Mon Jun 25 04:14:46 EDT 2001 Compile options: FAST, DIRENT, REGISTERS=20 IBUFSIZ=1024, OBUFSIZ=1024, BITS=16 [ ... ] $ rpm -qif `which compress` Name : ncompress Relocations: (not relocateable) Version : 4.2.4 Vendor: Red Hat, Inc. Release : 24 Build Date: Mon 25 Jun 2001 09:14:50 BST [ ... ] > uncompress and compress are called by wuftpd (maybe other ftpd's too) to > compress and uncompress files on the fly > > I quickly looked into it a few months ago, i am not sure, but i believe > maximum input you can give is 1024 bytes in wuftpd, thus not enough to > overflow the buffers of either of those programs I think you're right that wu-ftp is unintentionally protecting buffer overflows, but I'm not sure about the value; strace indicates a read of 4096, and a manually spoofed ftp connection indicates 511 bytes (+1 for the NULL). Anyone else? Incidentally, whilst I was testing... $ ncftp NcFTP 3.0.3 (April 15, 2001) by Mike Gleason (ncftpat_private). ncftp> $AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA *** Error: getline(): input buffer overflow $ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA $ rpm -qif `which ncftp` Name : ncftp Relocations: /usr Version : 3.0.3 Vendor: Red Hat, Inc. Release : 6 Build Date: Sat 04 Aug 2001 20:55:09 BST Probably not exploitable, but... Best Regards, Alex. -- Alex Butcher Brainbench MVP for Internet Security: www.brainbench.com Berkshire, UK Is *your* company hiring UNIX/Security/Pen. testing folks? PGP/GnuPG ID:0x271fd950 http://www.cocoa.demon.co.uk/cv/
This archive was generated by hypermail 2b30 : Tue Nov 20 2001 - 08:37:57 PST