mailing list archives
Re: question regarding CAN-2004-0930
From: Paul Schmehl <pauls () utdallas edu>
Date: Wed, 17 Nov 2004 17:49:12 -0600
--On Wednesday, November 17, 2004 12:13:52 AM +0100 Christian
<evilninja () gmx net> wrote:
hm, i still don't get it: the daemon has to answer to "dir" too, doesn't
he? the sole reason that "ls is a unix utility" does not make sense in
this context. "ls" and "dir" are not vulnerable here, sure, but this
still does not explain why smbd acts different here.
i've played around with tcpdump and strace here. the tcpdump looks very
similiar, the smbd's answer to "ls" is much shorter, as "strace" reveals.
I've obviously done a poor job of explaining the problem then.
When you do a "dir", you are making a call that the daemon has to respond
to. The daemon is vulnerable, so when you make a "dir" request with the
specific parameters that overflow the buffer in the daemon, it crashes.
When you do an "ls", you are making a call that the *os* has to respond to.
The os is *not* vulnerable, so it (properly) rejects the request as
Hopefully that makes more sense to you.
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
Full-Disclosure - We believe in it.