Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: question regarding CAN-2004-0930
From: Christian <evilninja () gmx net>
Date: Wed, 17 Nov 2004 00:13:52 +0100

Paul Schmehl wrote:

Because in the former case you were attempting to access a file through the daemon. In the latter, you were attempting to access a file through a unix utility. The former (smbd) is vulnerable. The latter (ls) apparently is not.

hm, i still don't get it: the daemon has to answer to "dir" too, doesn't he? the sole reason that "ls is a unix utility" does not make sense in this context. "ls" and "dir" are not vulnerable here, sure, but this still does not explain why smbd acts different here. i've played around with tcpdump and strace here. the tcpdump looks very similiar, the smbd's answer to "ls" is much shorter, as "strace" reveals.

so i just assume that "dir" _triggers_ the bug, while "ls" does not and since i lack C expertise (and the souce of "dir"), i'll never find out why ;)
and no, i am not digging deeper here, i was just curious.

thank you (both) for comments,
BOFH excuse #170:

popper unable to process jumbo kernel

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]