|
Bugtraq
mailing list archives
Re: A couple of patches (RFC931 and scp location)
From: simmonmt () CS PURDUE EDU (Matt Simmons)
Date: Sun, 8 Jun 1997 17:08:23 -0500
I added the authuser code from wu-ftpd 2.4 to ssh, and mentioned it in
a post to the ssh list. One of the subscribers to that list, Benjamin
Stassart, looked through it and found a possible buffer overrun. His
message is included below - it refers to authuser.c from the support
directory of the wu-ftpd distribution. Is this overrun exploitable
and therefore nasty & bad?
Matt
Benjamin J Stassart <dszd0g () dasb fhda edu> writes:
[...]
Also, unless I am mistaken it appears you could over-run one of the
buffers in authuser.c with spaces or tabs. What this would be able to
accomplish I do not know, but it should be fixed.
while ((w = read(s, &ch, 1)) == 1) {
*buf = ch;
if ((ch != ' ') && (ch != '\t') && (ch != '\r'))
++buf;
if ((buf - realbuf == sizeof(realbuf) - 1) || (ch ==
'\n'))
break;
}
Switching the if statements should fix the problem I believe?
[...]
As for ease of overflowing the buffer, I would say pretty easy. I have
hacked up pidentd source quite a bit. It is not difficult. Since the
buffer is just read directly from the socket, well...
Benjamin J. Stassart
 By Date 
By Thread
Current thread:
- Re: A couple of patches (RFC931 and scp location) Matt Simmons (Jun 08)
|
Intro
