[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[stalk:00281] Re: FTP $B%5!<%P(B$B$K%;%-%e%j%F%#%[!<%k(B

To: security-talk@xxxxxxxxxxxxxxxxxxxx
Subject: [stalk:00281] Re: FTP $B%5!<%P(B$B$K%;%-%e%j%F%#%[!<%k(B
From: Seiichi Nakashima <nakasei@xxxxxxxxxxxx>
Date: Wed, 11 Apr 2001 09:24:32 +0900

(B
(B
$BCfEg$G$9(B
(B
$B8D?ME*$J8+2r$G4V0c$C$F$$$k>l9g$O;XE&$7$F$/$@$5$$!#(B
(B
(Bhttp://www.pgp.com/research/covert/advisories/048.asp   $B$+$i0lItH4?h(B
(B
(B
(BThere are two implementations of glob() that are known to contain buffer overflow vulnerabilities. 
(B
(BImplementations based off of the c-shell globbing code contain a buffer overflow that can be triggered by supplying a pattern string 
(Bsuch that a set of brackets {} is followed by a string that is longer than the length reserved for the stack based buffer defined in 
(Bexecbrc(). This could be exploited by utilizing a code path in the FTP daemon that fed the expanded output of one globbed 
(Bpathname into a second call to glob(). 
(B
$B$H$N5-=R$,$"$k$h$&$K!"(B
(Bc-shell $B$N!!(Bglob() $B$KLdBj$,$"$k$h$&$K;W$$$^$9!#(BFile$BL>$N%Q%?!<%s%^%C%A$N;E;v$O!"(BC$B%i%$%V%i%j$G$J$/!"(Bshell$B$,.EgH%(B at kjm@xxxxxxxxxxxxxxxxxx wrote:
(B>> <f04310500b6f8735bf91b@[10.1.11.253]>$B$K$*$$$F(B
(B>> Sonoda Michio $B$5$s$,$*$C$7$c$k$K$O(B:
(B>> | FTP$B%5!<%P!<$KBg!9E*$K1F6A$9$k$H;W$o$l$k%;%-%e%j%F%#%[!<%k$,8+$D$+$C$F$^$9!#(B
(B>> | http://www.pgp.com/research/covert/advisories/048.asp
(B>> 
(B>> $B@hF|$N%3%l$b4XO"$G$9$h$M$(!"$?$V$s!#(B
(B>> 
(B>> <http://www.st.ryukoku.ac.jp/~kjm/security/memo/2001/03.html#20010316_ftpd>
(B>
(B>$B$6$C$H8+$?46$8!"4XO"$7$F$$$=$&$G$9$M!#(B
(B>
(B>
(B>> $B:#(B FreeBSD $B$N(B lib/libc/gen/glob.c $B8+$F$_$^$7$?$,!"$=$N8e$b$$$m$$(B
(B>> $B$ml9g$O$9$Y$F1F6A$9$k$N$+$J!)(B
(B>CERT/CC$B$b%"%I%P%$%6%j$r=P$7$F$^$9$M!#Aa$$(B(*_*)$B!#(B
(B> http://www.cert.org/advisories/CA-2001-07.html
(B>$B!&!&!&$H;W$C$?$i!"$A$g$C$H0c$&$_$?$$!)0lIt$K$D$$$F$@$1$J$N$+$J!)(B
(B>
(B>$B!t$H$b$"$l!"(BCERT/CC$B$,$3$l$@$1Aa$$$N$@$+$i(BJPCERT/CC$B$bAa$$$K0c$$$J$$(B(^_-)
(B>$B!t$H$$$&$3$H$O!"%5!<%P4IM}http://www.yk.rim.or.jp/~shikap/patch/
(B>$B!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a(B
(B>
(B>
(B>--
(B>- $B$3$N%a%$%j%s%0%j%9%H$K4X$9$khttp://www.infoseek.co.jp/Playspot?pg=playspot_top.html&svx=971122
(B>
(B
(B------------------------------
(B Name   : Seiichi Nakashima
(B E-Mail : nakasei@xxxxxxxxxxxx
(B------------------------------
(B--
(B- $B$3$N%a%$%j%s%0%j%9%H$K4X$9$khttp://www.infoseek.co.jp/Playspot?pg=playspot_top.html&svx=971122

Follow-Ups:
- [stalk:00282] Re: FTP $B%5!<%P$K(B$B%;%-%e%j%F%#%[!<%k(B
  - From: KOJIMA Hajime / $B>.EgH%(B

References:
- [stalk:00277] Re: FTP $B%5!<%P$K%;%-%e%j%F%#%[!<%k(J
  - From: Shikata Koji

Prev by Date: [stalk:00280] [FYI]snort1.8-beta1 $B$G(B$B$F$^$9(B
Next by Date: [stalk:00282] Re: FTP $B%5!<%P$K(B$B%;%-%e%j%F%#%[!<%k(B
Previous by thread: [stalk:00277] Re: FTP $B%5!<%P$K%;%-%e%j%F%#%[!<%k(J
Next by thread: [stalk:00282] Re: FTP $B%5!<%P$K(B$B%;%-%e%j%F%#%[!<%k(B
Index(es):
- Date
- Thread

[stalk:00281] Re: FTP $B%5!<%P(B$B$K%;%-%e%j%F%#%[!<%k(B

[stalk:00281] Re: FTP $B%5!<%P(B$B$K%;%-%e%j%F%#%[!<%k(B