|
Vulnerability Development
mailing list archives
Re: New bugs discovered!
From: "Alex Butcher (vuln-dev)" <vulndev () cocoa demon co uk>
Date: Tue, 20 Nov 2001 10:36:55 +0000 (GMT)
On Mon, 19 Nov 2001, The Itch wrote:
ah, yes and so are /usr/bin/compress, /usr/bin/uncompress and /bin/zcat
and /bin/gunzip vulnerable to simple buffer overflows.
(Compress version: (N)compress 4.2.4, compiled: Mon Feb 7 16:15:44 EST 2000)
(zcat 1.2.4 (18 Aug 93))
this is on redhat 6.2
Verified here on RH 7.2 with compress and uncompress:
$ uncompress `perl -e 'print "A" x 2048'`
Segmentation fault
$ compress `perl -e 'print "A" x 2048'`
Segmentation fault
$ compress -V
Compress version: (N)compress 4.2.4, compiled: Mon Jun 25 04:14:46 EDT
2001
Compile options:
FAST, DIRENT,
REGISTERS=20 IBUFSIZ=1024, OBUFSIZ=1024, BITS=16
[ ... ]
$ rpm -qif `which compress`
Name : ncompress Relocations: (not relocateable)
Version : 4.2.4 Vendor: Red Hat, Inc.
Release : 24 Build Date: Mon 25 Jun 2001 09:14:50 BST
[ ... ]
uncompress and compress are called by wuftpd (maybe other ftpd's too) to
compress and uncompress files on the fly
I quickly looked into it a few months ago, i am not sure, but i believe
maximum input you can give is 1024 bytes in wuftpd, thus not enough to
overflow the buffers of either of those programs
I think you're right that wu-ftp is unintentionally protecting buffer
overflows, but I'm not sure about the value; strace indicates a read of
4096, and a manually spoofed ftp connection indicates 511 bytes (+1 for
the NULL). Anyone else?
Incidentally, whilst I was testing...
$ ncftp
NcFTP 3.0.3 (April 15, 2001) by Mike Gleason (ncftp () ncftp com).
ncftp> $AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
*** Error: getline(): input buffer overflow
$
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
$ rpm -qif `which ncftp`
Name : ncftp Relocations: /usr
Version : 3.0.3 Vendor: Red Hat, Inc.
Release : 6 Build Date: Sat 04 Aug 2001 20:55:09 BST
Probably not exploitable, but...
Best Regards,
Alex.
--
Alex Butcher Brainbench MVP for Internet Security: www.brainbench.com
Berkshire, UK Is *your* company hiring UNIX/Security/Pen. testing folks?
PGP/GnuPG ID:0x271fd950 http://www.cocoa.demon.co.uk/cv/
 By Date 
By Thread
Current thread:
- Re: New bugs discovered!, (continued)
|
Intro
