[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] VSFTPD Remote Heap Overrun (low severity)

To: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] VSFTPD Remote Heap Overrun (low severity)
From: "HI-TECH ." <isowarez.isowarez.isowarez@xxxxxxxxxxxxxx>
Date: Sat, 3 Dec 2011 01:50:52 +0100

This is afaik a patched CVE in Linux glibc [1] which can be triggered through
the very secure ftp daemon [2] so it will only work on older linux distros.
Be aware that vsftpd has privilege seperation built in so this bug
will not yield a root shell.
It could yield root only in junction with a linux kernel vulnerability
because the attacker
will not be able to break the chroot without being root.
This bug has a low severity because it's hard to exploit.
Linux systems without patched glibc are vulnerable even if the latest
version vsftpd-2.3.4 is installed.
The bug is in the glibc timezone code. vsftpd loads timezone files
from /usr [3]. If the attacker is inside a chroot
he can easily create this directory and the timezone file and trigger
the heap overrun.

A Debugging Session illustrating the bug can be found on youtube:
http://www.youtube.com/watch?v=KRCuozBM_dQ

Cheers!

[1] http://dividead.wordpress.com/tag/heap-overflow/
[2] https://security.appspot.com/vsftpd.html
[3] For example /usr/share/zoneinfo/UTC-01:00

/Kingcope

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] fast and somewhat reliable cache timing
Next by Date: Re: [Full-disclosure] Large password list
Previous by thread: Re: [Full-disclosure] fast and somewhat reliable cache timing
Next by thread: Re: [Full-disclosure] VSFTPD Remote Heap Overrun (low severity)
Index(es):
- Date
- Thread