The patches have been available over a week now. I think that is long
enough.
On the 1st of December Przemyslaw Frasunek (venglin_at_freebsd.lublin.pl)
wrote something about getting a wu-ftpd exploit working. The problem he
was having was to do with the following macro:
#define arena_for_ptr(ptr) \
(((mchunkptr)(ptr) < top(&main_arena) && (char *)(ptr) >= sbrk_base) ? \
&main_arena : heap_for_ptr(ptr)->ar_ptr)
He worked around it by making a hacked up version of the malloc function.
My solution: put the chunk on the heap between sbrk_base and the top value
of the main_arena.
How? Get the chunk malloc()ed and stored there, then brute force it. (The
exact position varies depending on a whole lot of things, and brute
forcing is nice for system admins. They have pretty good evidence that
there has been an attack. ;])
-- zen-parse
P.S. Apparently there are earlier versions of this exploit floating
around. Many of them are even buggier than this one, and all some of them
will do is add a few hundred K to the log files.
P.P.S Sorry, but it was too much temptation to resist posting it as
wu261.c. The program is a wrapper for the archive.
--
-------------------------------------------------------------------------
The preceding information is confidential and may not be redistributed
without explicit permission. Legal action may be taken to enforce this.
If this message was posted by zen-parse_at_gmx.net to a public forum it may
be redistributed as long as these conditions remain attached. If you are
mum or dad, this probably doesn't apply to you.
Received on Dec 12 2001
Intro
