Re: question regarding CAN-2004-0930

[Paul Schmehl <pauls () utdallas edu>]

--On Wednesday, November 17, 2004 12:13:52 AM +0100 Christian 
<evilninja () gmx net> wrote:
> hm, i still don't get it: the daemon has to answer to "dir" too, doesn't
> he? the sole reason that "ls is a unix utility" does not make sense in
> this context. "ls" and "dir" are not vulnerable here, sure, but this
> still does not explain why smbd acts different here.
> i've played around with tcpdump and strace here. the tcpdump looks very
> similiar, the smbd's answer to "ls" is much shorter, as "strace" reveals.

I've obviously done a poor job of explaining the problem then.

When you do a "dir", you are making a call that the daemon has to respond 
to.  The daemon is vulnerable, so when you make a "dir" request with the 
specific parameters that overflow the buffer in the daemon, it crashes.

When you do an "ls", you are making a call that the *os* has to respond to. 
The os is *not* vulnerable, so it (properly) rejects the request as 
malformed.

Hopefully that makes more sense to you.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html