YES. wu-ftpd will call compress with the file name as an argument if you request the file name ending in .Z. You have to be able to write out a file name containing the shell code to exploit the bug. I mentioned the compress bug back in 1998 and again in 2000, it finally got fixed on some of the newer SuSE releases (not sure about Red Hat, I dont use it). See: http://msgs.securepoint.com/cgi-bin/get/bugtraq0003/179.html Another fun one is tar, the --use-compress-program option might be exploitable under wu-ftpd as well, although I cant think of a way to do it offhand. On Tuesday 05 March 2002 07:43 am, HypH wrote: > [hyph@port ~]$ rpm -qf `which compress` > ncompress-4.2.4-21 > [hyph@port ~]$ compress `perl -e 'print "A" x 1100'` > Segmentation fault (core dumped) > [hyph@port ~]$gdb compress core > eip 0x41414141 0x41414141 <--- :-)) > Compress isn`t suid so it gives us no benefit. And here`s my question: > Is there any way to force the ftpd to 'compress' a file before sending it, > from the client`s side. I`m asking for this particular daemon because of > this: > -rwxr-xr-x 2 root root 16k gru 12 2000 compress <-- :-)) > > The benefits would be obvious. > > Sorry if it`s a known bug/vulnerability (but I`ve never heared `bout it > before)
This archive was generated by hypermail 2b30 : Thu Mar 07 2002 - 14:54:52 PST