Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: question regarding CAN-2004-0930
From: Paul Schmehl <pauls () utdallas edu>
Date: Wed, 17 Nov 2004 17:49:12 -0600

--On Wednesday, November 17, 2004 12:13:52 AM +0100 Christian <evilninja () gmx net> wrote:

hm, i still don't get it: the daemon has to answer to "dir" too, doesn't
he? the sole reason that "ls is a unix utility" does not make sense in
this context. "ls" and "dir" are not vulnerable here, sure, but this
still does not explain why smbd acts different here.
i've played around with tcpdump and strace here. the tcpdump looks very
similiar, the smbd's answer to "ls" is much shorter, as "strace" reveals.

I've obviously done a poor job of explaining the problem then.

When you do a "dir", you are making a call that the daemon has to respond to. The daemon is vulnerable, so when you make a "dir" request with the specific parameters that overflow the buffer in the daemon, it crashes.

When you do an "ls", you are making a call that the *os* has to respond to. The os is *not* vulnerable, so it (properly) rejects the request as malformed.

Hopefully that makes more sense to you.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]