On Monday 11 March 2002 04:35 am, Pavel Kankovsky wrote: > On Sat, 9 Mar 2002, H D Moore wrote: > > ftp> mkdir A<254 * 0x90> > > ftp> cd A* > > [...] > > > ftp> put <reallysmallscode> > > ftp> cd ../../../../ > > ftp> get A*/B*/C*/D*/reallysmallscode.Z > > Afaik this won't work because glob() does not expand the path unless a file > matching the *complete* pattern exists. But if x.Z exists, "get x.Z" will > not run compress. Fortunately, we do not get Catch 22 because there is a > nice race condition there. To make things better, wu-ftpd appears to > compute all filenames matching a pattern during wildcard expansion and > drops everything but the first entry of the list afterwards, ie. it is > possible to make the delay much longer and easier to exploit. Understood, the glob won't match a file name that doesn't exist yet. How would this race condition work? Create a x.Z, make the request, delete it after the glob match but before the final stat()?
This archive was generated by hypermail 2b30 : Tue Mar 12 2002 - 08:02:29 PST